This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new e1ccd89d65 One more location where a constant time comparison could be
used
e1ccd89d65 is described below
commit e1ccd89d65811d7eb34b5895b0291a6824a6ab62
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 1 12:10:28 2026 +0100
One more location where a constant time comparison could be used
---
java/org/apache/catalina/authenticator/DigestAuthenticator.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
index d36a8af856..34e896d9ff 100644
--- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
@@ -43,6 +43,7 @@ import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.buf.StringUtils;
import org.apache.tomcat.util.http.parser.Authorization;
import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+import org.apache.tomcat.util.security.ConstantTime;
/**
@@ -600,7 +601,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
byte[] buffer =
ConcurrentMessageDigest.digest(NONCE_DIGEST,
serverIpTimeKey.getBytes(StandardCharsets.ISO_8859_1));
String digestServerIpTimeKey = HexUtils.toHexString(buffer);
- if (!digestServerIpTimeKey.equals(digestclientIpTimeKey)) {
+ if (!ConstantTime.equals(digestServerIpTimeKey,
digestclientIpTimeKey, true)) {
return false;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
