fix: use time-constant comparison for security tokens (#9896) (CP: 5.0) #9910

vaadin-bot · 2021-01-28T14:21:15Z

No description provided.

This is the same as #9875, but also applied for the upload security key and the push id since both of those are also used to protect against cross-site attacks. In addition, documentation for the push id is clarified to point out its role.

vaadin-bot · 2021-01-28T17:21:31Z

SonarQube analysis reported 1 issue

Note: The following issues were found on lines that were not modified in the pull request. Because these issues can't be reported as line comments, they are summarized here:

VaadinSession.java#L77: Do not forget to remove this deprecated code someday.

This is the same as #9875, but also applied for the upload security key and the push id since both of those are also used to protect against cross-site attacks. In addition, documentation for the push id is clarified to point out its role. Co-authored-by: Leif Åstrand <leif@vaadin.com>

vaadin-bot added the +0.0.1 label Jan 28, 2021

tanbt approved these changes Feb 4, 2021

View reviewed changes

tanbt merged commit ad15179 into 5.0 Feb 4, 2021

tanbt deleted the cherry-pick-9896-to-5.0-1611843661207 branch February 4, 2021 08:47

tanbt added this to the 1.0.14 milestone Feb 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: use time-constant comparison for security tokens (#9896) (CP: 5.0) #9910

fix: use time-constant comparison for security tokens (#9896) (CP: 5.0) #9910

vaadin-bot commented Jan 28, 2021

vaadin-bot commented Jan 28, 2021

fix: use time-constant comparison for security tokens (#9896) (CP: 5.0) #9910

fix: use time-constant comparison for security tokens (#9896) (CP: 5.0) #9910

Conversation

vaadin-bot commented Jan 28, 2021

vaadin-bot commented Jan 28, 2021