Merge pull request #55 from jenkinsci-cert/SECURITY-241

[FIX SECURITY-241] Compare API tokens in constant time

core/src/main/java/jenkins/security/ApiTokenProperty.java

@@ -41,6 +41,8 @@ import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 
 import java.io.IOException;
+import java.nio.charset.Charset;
+import java.security.MessageDigest;
 import java.security.SecureRandom;
 import javax.annotation.Nonnull;
 import org.apache.commons.lang.StringUtils;
@@ -109,7 +111,10 @@ public class ApiTokenProperty extends UserProperty {
     }
 
     public boolean matchesPassword(String password) {
-        return  getApiTokenInsecure().equals(password);
+        String token = getApiTokenInsecure();
+        // String.equals isn't constant time, but this is
+        return MessageDigest.isEqual(password.getBytes(Charset.forName("US-ASCII")),
+                token.getBytes(Charset.forName("US-ASCII")));
     }
     
     private boolean hasPermissionToSeeToken() {