This is an automated email from the ASF dual-hosted git repository.
thiagohp pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tapestry-5.git
The following commit(s) were added to refs/heads/master by this push:
new d3928ad Compare HMACs with a time-constant string comparison.
d3928ad is described below
commit d3928ad44714b949d247af2652c84dae3c27e1b1
Author: Thiago H. de Paula Figueiredo <[email protected]>
AuthorDate: Fri Apr 19 20:08:51 2019 -0300
Compare HMACs with a time-constant string comparison.
---
.../apache/tapestry5/internal/services/ClientDataEncoderImpl.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java
b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java
index c98090d..7a26009 100644
---
a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java
+++
b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java
@@ -32,6 +32,7 @@ import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.UnsupportedEncodingException;
import java.security.Key;
+import java.security.MessageDigest;
import java.util.zip.GZIPInputStream;
public class ClientDataEncoderImpl implements ClientDataEncoder
@@ -126,13 +127,13 @@ public class ClientDataEncoderImpl implements
ClientDataEncoder
String actual = macOs.getResult();
- if (!storedHmacResult.equals(actual))
+ if (!MessageDigest.isEqual(storedHmacResult.getBytes(),
actual.getBytes()))
{
throw new IOException("Client data associated with the current
request appears to have been tampered with " +
"(the HMAC signature does not match).");
}
}
-
+
public ObjectInputStream decodeEncodedClientData(String clientData) throws
IOException
{
return decodeClientData(urlEncoder.decode(clientData));
