Skip to content

[Forwardport] Use constant time string comparison in FormKey validator #16518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 19, 2018
Merged

[Forwardport] Use constant time string comparison in FormKey validator #16518

merged 2 commits into from
Jul 19, 2018

Conversation

gelanivishal
Copy link
Contributor

Original Pull Request

#13509

Description

CSRF tokens should be considered sensitive strings. While the risk of a malicious actor attempting gleam the form key via a timing attack is very low, we should still follow best practices in verifying this token.

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

p0pr0ck5 and others added 2 commits July 4, 2018 02:00
@p0pr0ck5 @gelanivishal
Use constant time string comparison in FormKey validator
6e1beda 
CSRF tokens should be considered sensitive strings. While the
risk of a malicious actor attempting gleam the form key via a
timing attack is very low, we should still follow best practices
in verifying this token.
@orlangur @gelanivishal
Polish up implementation
11a95d6
@magento-engcom-team
Copy link
Contributor

Hi @gelanivishal. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

  • @magento-engcom-team give me test instance - deploy test instance based on PR changes
  • @magento-engcom-team give me {$VERSION} instance - deploy vanilla Magento instance

For more details, please, review the Magento Contributor Assistant documentation

@magento-engcom-team magento-engcom-team added this to the Release: 2.3.0 milestone Jul 4, 2018
@orlangur orlangur self-assigned this Jul 4, 2018
@magento-engcom-team
Copy link
Contributor

Hi @orlangur, thank you for the review.
ENGCOM-2183 has been created to process this Pull Request

@gelanivishal gelanivishal changed the title Use constant time string comparison in FormKey validator [Forwardport] Use constant time string comparison in FormKey validator Jul 14, 2018
@magento-engcom-team magento-engcom-team merged commit 11a95d6 into magento:2.3-develop Jul 19, 2018
magento-engcom-team pushed a commit that referenced this pull request Jul 19, 2018
ENGCOM-2183: Use constant time string comparison in FormKey validator #…
d5f5c2e 
…16518
@magento-engcom-team
Copy link
Contributor

Hi @gelanivishal. Thank you for your contribution.
We will aim to release these changes as part of 2.3.0.
Please check the release notes for final confirmation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orlangur orlangur orlangur approved these changes

Assignees

@orlangur orlangur

@VladimirZaets VladimirZaets

Labels
Component: Framework/Data Release Line: 2.3
Projects
None yet
Milestone
Release: 2.3.0
Development

Successfully merging this pull request may close these issues.
5 participants
@gelanivishal @magento-engcom-team @orlangur @VladimirZaets @p0pr0ck5