This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 9beb49ab8d One more location where a constant time comparison could be
used
9beb49ab8d is described below
commit 9beb49ab8dfc5fe4e8bae9ac4592ace49e19246b
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 1 12:10:28 2026 +0100
One more location where a constant time comparison could be used
---
java/org/apache/catalina/authenticator/DigestAuthenticator.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
index faa4cfb3fc..ec48f56655 100644
--- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
@@ -42,6 +42,7 @@ import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.buf.StringUtils;
import org.apache.tomcat.util.http.parser.Authorization;
import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+import org.apache.tomcat.util.security.ConstantTime;
/**
@@ -640,7 +641,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
byte[] buffer =
ConcurrentMessageDigest.digest(NONCE_DIGEST,
serverIpTimeKey.getBytes(StandardCharsets.ISO_8859_1));
String digestServerIpTimeKey = HexUtils.toHexString(buffer);
- if (!digestServerIpTimeKey.equals(digestclientIpTimeKey)) {
+ if (!ConstantTime.equals(digestServerIpTimeKey,
digestclientIpTimeKey, true)) {
return false;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
