Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use time-constant comparison for security tokens #12189

Merged
merged 4 commits into from
Jan 29, 2021
Merged

fix: use time-constant comparison for security tokens #12189

merged 4 commits into from
Jan 29, 2021

Conversation

TatuLund
Copy link
Contributor

@TatuLund TatuLund commented Jan 28, 2021
edited by Artur-
Loading

This is the same as #12188, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

This change is Reviewable

@TatuLund
fix: use time-constant comparison for security tokens
40cbd8d 
This is the same as #12188, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.
@TatuLund
Adding PushHandler part
22674b5
@TatuLund
Adding comment for future sake
0d07cdc
@TatuLund
Updating javadoc
7373716
@TatuLund
Copy link
Contributor Author

Picked from: vaadin/flow@088293f#diff-5bd42695f4eea8faf41963f437e5c8aee8d8f756b949f11fc0b47b1d6da1ec79R124

@TatuLund TatuLund mentioned this pull request Jan 28, 2021
Closed
@TatuLund TatuLund added this to the 8.12.3 milestone Jan 28, 2021
@TatuLund TatuLund mentioned this pull request Jan 28, 2021
Merged
Ansku
Ansku approved these changes Jan 29, 2021
View reviewed changes
Copy link
Member

@Ansku Ansku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 3 of 3 files at r1.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@Ansku Ansku merged commit 885c229 into master Jan 29, 2021
@Ansku Ansku deleted the csrf-fix2 branch January 29, 2021 11:32
Ansku pushed a commit that referenced this pull request Feb 3, 2021
@TatuLund @Ansku
fix: use time-constant comparison for security tokens (#12189)
cce86cc 
This is the same as #12188,
but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Cherry-picked from: vaadin/flow#9896
Ansku added a commit that referenced this pull request Feb 3, 2021
@Ansku
fix: use time-constant comparison for security tokens (#12189) (#12195)
560cccc 
This is the same as #12188,
but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Cherry-picked from: vaadin/flow#9896

Authored-by: Tatu Lund <tatu@vaadin.com>
Ansku pushed a commit that referenced this pull request Feb 3, 2021
@TatuLund
fix: use time-constant comparison for security tokens (#12192)
d0d2cfb 
This is the same as #12190, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Backporting of #12189
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ansku Ansku Ansku approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
8.12.3
Development

Successfully merging this pull request may close these issues.
2 participants
@TatuLund @Ansku