dxbjavid opened a new pull request, #3165: URL: https://github.com/apache/cxf/pull/3165
The registration access-token checks in DynamicRegistrationService, the session authenticity token in RedirectionBasedGrantService, and the state token in MemoryClientCodeStateManager all authenticate a request-supplied secret with String.equals, which returns on the first differing byte. Route them through a new OAuthUtils.compareTokens that wraps MessageDigest.isEqual, the same constant-time idiom already used by compareCertificateThumbprints and the JOSE verifiers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
