Skip to content

Commit

Permalink
fix: use time-constant comparison for CSRF tokens (#12190)
Browse files Browse the repository at this point in the history 
This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Backporting of #12188
  • Loading branch information
@TatuLund
TatuLund authored Feb 4, 2021
1 parent d0d2cfb commit a26eb8d
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion server/src/main/java/com/vaadin/server/VaadinService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,12 @@
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
Expand Down Expand Up @@ -1761,7 +1763,15 @@ public static boolean isCsrfTokenValid(VaadinSession session,
.isXsrfProtectionEnabled()) {
String sessionToken = session.getCsrfToken();

if (sessionToken == null || !sessionToken.equals(requestToken)) {
try {
if (sessionToken == null || !MessageDigest.isEqual(
sessionToken.getBytes("UTF-8"),
requestToken.getBytes("UTF-8"))) {
return false;
}
} catch (UnsupportedEncodingException e) {
getLogger().log(Level.WARNING,
"Session token was not UTF-8, this should never happen.");
return false;
}
}
Expand Down

0 comments on commit a26eb8d

Please sign in to comment.