Skip to content

[Backport] Use constant time string comparison in FormKey validator #17108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 6, 2018
Merged

[Backport] Use constant time string comparison in FormKey validator #17108

merged 3 commits into from
Aug 6, 2018

Conversation

@gelanivishal
Copy link
Contributor

@gelanivishal gelanivishal commented Jul 25, 2018
edited by sidolov
Loading

Original Pull Request

#13509

Description

CSRF tokens should be considered sensitive strings. While the risk of a malicious actor attempting gleam the form key via a timing attack is very low, we should still follow best practices in verifying this token.

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

@VladimirZaets VladimirZaets self-assigned this Jul 25, 2018
@VladimirZaets
Copy link
Contributor

VladimirZaets commented Jul 25, 2018

Hi @gelanivishal. Thanks for the contribution. We can't make backport of @api annotation to Magento 2.1 version because we can't have API annotation with intervals. After API annotation was declared all next versions should have the declared annotation, but in the current case, Magento 2.1 version will contain the annotation but Magento 2.2.0 will not.

@gelanivishal
Copy link
Contributor Author

gelanivishal commented Jul 27, 2018

@VladimirZaets I have removed API annotation and let me know anything you want to change.

Thank you.

@gelanivishal
Copy link
Contributor Author

gelanivishal commented Jul 30, 2018

@VladimirZaets Have you checked requested changes?

@sidolov sidolov self-assigned this Aug 5, 2018
@sidolov sidolov self-requested a review August 5, 2018 11:08
@magento-engcom-team magento-engcom-team added this to the Release: 2.1.15 milestone Aug 5, 2018
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Aug 5, 2018

Hi @sidolov, thank you for the review.
ENGCOM-2656 has been created to process this Pull Request

@magento-engcom-team magento-engcom-team merged commit 4148751 into magento:2.1-develop Aug 6, 2018
magento-engcom-team pushed a commit that referenced this pull request Aug 6, 2018
ENGCOM-2656: [Backport] Use constant time string comparison in FormKe…
bd825eb 
…y validator #17108
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Aug 6, 2018

Hi @gelanivishal. Thank you for your contribution.
We will aim to release these changes as part of 2.1.15.
Please check the release notes for final confirmation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sidolov sidolov sidolov approved these changes

Assignees

@VladimirZaets VladimirZaets

@sidolov sidolov

Labels

Component: Framework/Data Progress: accept Release Line: 2.1

Projects

None yet

Milestone

Release: 2.1.15

Development

Successfully merging this pull request may close these issues.

6 participants

@gelanivishal @VladimirZaets @magento-engcom-team @sidolov @p0pr0ck5 @orlangur