[FIX SECURITY-245] Compare crumbs in constant time

559566b1 · Daniel Beck · 536c01bf · 559566b1
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java ...rc/main/java/hudson/security/csrf/DefaultCrumbIssuer.java +1 -1

未找到文件。
--- a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+++ b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
@@ -95,7 +95,7 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
        if (request instanceof HttpServletRequest) {
            String newCrumb = issueCrumb(request, salt);
            if ((newCrumb != null) && (crumb != null)) {
-                return newCrumb.equals(crumb);
+                return MessageDigest.isEqual(newCrumb.getBytes(), crumb.getBytes());
            }
        }
        return false;