[SECURITY-245] Add explanation comment

281cd6c6 · Daniel Beck · 559566b1 · 281cd6c6
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java ...rc/main/java/hudson/security/csrf/DefaultCrumbIssuer.java +1 -0

未找到文件。
--- a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+++ b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
@@ -95,6 +95,7 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
        if (request instanceof HttpServletRequest) {
            String newCrumb = issueCrumb(request, salt);
            if ((newCrumb != null) && (crumb != null)) {
+                // String.equals() is not constant-time, but this is
                return MessageDigest.isEqual(newCrumb.getBytes(), crumb.getBytes());
            }
        }