- Issue created by @stella
- Status changed to Needs review
8 months ago 10:59am 26 March 2024 - 🇮🇪Ireland stella
@klausi provided the initial patch for Drupal 10, it needs review and backporting to Drupal 7. Please grant him issue credit.
- 🇦🇹Austria drunken monkey Vienna, Austria
drunken monkey → made their first commit to this issue’s fork.
- Merge request !17Fix timing attack vulnerability in token comparison → (Merged) created by drunken monkey
- 🇦🇹Austria drunken monkey Vienna, Austria
Thanks a lot for proposing this, good catch!
It seems almost impossible to exploit, but I’m the last one to argue against sticking to best practices, so of course such a check should use the correct function.I created an MR with @klausi’s patch so it can be tested. I’m also posting a patch for Drupal 7 with the same fix.
-
drunken monkey →
committed 643134cc on 8.x-1.x
Issue #3436133 by klausi, stella, drunken monkey: Fixed timing attack...
-
drunken monkey →
committed 643134cc on 8.x-1.x
-
drunken monkey →
committed f97e7eae on 7.x-1.x
Issue #3436133 by klausi, stella, drunken monkey: Fixed timing attack...
-
drunken monkey →
committed f97e7eae on 7.x-1.x
- Status changed to Fixed
8 months ago 2:42pm 28 March 2024 - 🇦🇹Austria drunken monkey Vienna, Austria
Test bot was happy, too, so I merged the MR with @klausi’s fix.
No test coverage for D7, unfortunately, but seems innocent enough so I just merged that, too.Thanks again, both of you!
Automatically closed - issue fixed for 2 weeks with no activity.