Merge branch 'security-stable-1.625' into security-stable-1.642

1701ac95 · Jesse Glick · 48ef1542 · c9cea4f2 · 1701ac95 · 1701ac95
3 changed file
--- a/core/src/main/java/hudson/cli/CLIAction.java
+++ b/core/src/main/java/hudson/cli/CLIAction.java
@@ -78,7 +78,7 @@ public class CLIAction implements UnprotectedRootAction, StaplerProxy {
        final String commandName = req.getRestOfPath().substring(1);
        CLICommand command = CLICommand.clone(commandName);
        if (command == null) {
-            rsp.sendError(HttpServletResponse.SC_NOT_FOUND, "No such command " + commandName);
+            rsp.sendError(HttpServletResponse.SC_NOT_FOUND, "No such command");
            return;
        }

--- a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+++ b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
@@ -5,6 +5,7 @@
 */
 package hudson.security.csrf;
+import java.nio.charset.Charset;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.logging.Level;
@@ -95,7 +96,9 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
        if (request instanceof HttpServletRequest) {
            String newCrumb = issueCrumb(request, salt);
            if ((newCrumb != null) && (crumb != null)) {
-                return newCrumb.equals(crumb);
+                // String.equals() is not constant-time, but this is
+                return MessageDigest.isEqual(newCrumb.getBytes(Charset.forName("US-ASCII")),
+                        crumb.getBytes(Charset.forName("US-ASCII")));
            }
        }
        return false;

--- a/core/src/main/java/jenkins/security/ApiTokenProperty.java
+++ b/core/src/main/java/jenkins/security/ApiTokenProperty.java
@@ -41,6 +41,8 @@ import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import java.io.IOException;
+import java.nio.charset.Charset;
+import java.security.MessageDigest;
 import java.security.SecureRandom;
 import javax.annotation.Nonnull;
 import org.apache.commons.lang.StringUtils;
@@ -109,7 +111,10 @@ public class ApiTokenProperty extends UserProperty {
    }
    public boolean matchesPassword(String password) {
-        return  getApiTokenInsecure().equals(password);
+        String token = getApiTokenInsecure();
+        // String.equals isn't constant time, but this is
+        return MessageDigest.isEqual(password.getBytes(Charset.forName("US-ASCII")),
+                token.getBytes(Charset.forName("US-ASCII")));
    }
    private boolean hasPermissionToSeeToken() {