Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: use time-constant comparison for CSRF tokens (#9875)
This hardens the framework against a theoretical timing attack based on comparing how quickly a request with an invalid CSRF token is rejected.
- Loading branch information
a7ff693
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dear developers,
I found that the patch introduced a variable "uiToken" that does not exist in the context, causing the version to fail to compile when used. This may be an error accidentally introduced when cherry picking other branches, and here is a patch change suggestion:
a7ff693
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That problem was subsequently fixed in 674425b