Skip to content

Use constant time comparisons for CSRF tokens #9291

New issue
New issue
Closed
Closed
Use constant time comparisons for CSRF tokens#9291
Assignees
rwinch
Labels
in: webAn issue in web modules (web, webmvc)status: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement
Milestone
 
5.5.0-M2
@rwinch

Description

@rwinch
rwinch
opened on Dec 17, 2020

While it is not a practical exploit at this point, it is best to be defensive. We should change CSRF token comparison to use a constant time comparison to avoid side channel attacks.

NOTE: This was originally reported via Xhelal Likaj, [email protected]

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions