Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use constant time comparisons for CSRF tokens #9291

Closed
rwinch opened this issue Dec 17, 2020 · 8 comments
Closed

Use constant time comparisons for CSRF tokens #9291

rwinch opened this issue Dec 17, 2020 · 8 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
5.5.0-M2

Comments

@rwinch
Copy link
Member

rwinch commented Dec 17, 2020
edited
Loading

While it is not a practical exploit at this point, it is best to be defensive. We should change CSRF token comparison to use a constant time comparison to avoid side channel attacks.

NOTE: This was originally reported via Xhelal Likaj, xhelallikaj20@gmail.com
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 17, 2020
@rwinch rwinch closed this as completed in 40e027c Dec 17, 2020
@rwinch rwinch self-assigned this Dec 17, 2020
@rwinch rwinch added this to the 5.5.0-M2 milestone Dec 17, 2020
@ogarber
Copy link

ogarber commented Jan 4, 2021

Hi @rwinch , I have a question: will this fix also be merged in the older pipe-lines (I'm interesting in 5.2.x...).
Thank you in advance

@ogarber
Copy link

ogarber commented Jan 12, 2021

Hi @rwinch , sorry for annoying...
Did you see my previous comment?

@vnjapa
Copy link

vnjapa commented Jan 20, 2021
edited
Loading

Hi @rwinch, will this fix will be merged in older versions like 5.2.x or when can we expect this release

rwinch pushed a commit that referenced this issue Jan 20, 2021
@rwinch
Constant Time Comparison for CSRF tokens
acb5ae6 
Closes gh-9291
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Jan 20, 2021
Closed
rwinch pushed a commit that referenced this issue Jan 20, 2021
@rwinch
Constant Time Comparison for CSRF tokens
e6d6b39 
Closes gh-9291
Closed
rwinch pushed a commit that referenced this issue Jan 20, 2021
@rwinch
Constant Time Comparison for CSRF tokens
1181740 
Closes gh-9291
Closed
@rwinch
Copy link
Member Author

rwinch commented Jan 20, 2021

I have backported the issue (see the linked issues). Each issue has a milestone with the expected release date.

@ogarber
Copy link

ogarber commented Jan 21, 2021

Thank you @rwinch !

@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 14, 2021
Closed
This was referenced Apr 14, 2021
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Jun 22, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jun 23, 2021
Closed
This was referenced Jul 29, 2021
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jul 29, 2021
Closed
This was referenced Aug 20, 2021
Closed
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 6, 2021
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 28, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Oct 28, 2021
Closed
This was referenced Nov 3, 2021
Closed
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Nov 11, 2021
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Nov 12, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Dec 2, 2021
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Dec 7, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Dec 30, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Feb 15, 2022
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 7, 2022
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 23, 2022
Open
This was referenced Mar 31, 2022
Closed
Open
@dev-mend-for-github-com dev-mend-for-github-com bot mentioned this issue Apr 8, 2022
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 11, 2022
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 18, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue May 2, 2022
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 4, 2022
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 31, 2022
Open
@sureng-whitesource-app sureng-whitesource-app bot mentioned this issue Jul 22, 2022
Open
@joshn-whitesource-app joshn-whitesource-app bot mentioned this issue Dec 27, 2023
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M2
Development

No branches or pull requests
5 participants
@rwinch @spring-projects-issues @andydkelly-ig @vnjapa @ogarber