This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new febc4b3b3a One more location where a constant time comparison could be
used
febc4b3b3a is described below
commit febc4b3b3a64b2f1351f52ef2939ca2249b8509e
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 1 12:10:28 2026 +0100
One more location where a constant time comparison could be used
---
java/org/apache/catalina/authenticator/DigestAuthenticator.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
index 1625779b2b..a254815ff6 100644
--- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
@@ -42,6 +42,7 @@ import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.buf.StringUtils;
import org.apache.tomcat.util.http.parser.Authorization;
import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+import org.apache.tomcat.util.security.ConstantTime;
/**
@@ -640,7 +641,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
byte[] buffer =
ConcurrentMessageDigest.digest(NONCE_DIGEST,
serverIpTimeKey.getBytes(StandardCharsets.ISO_8859_1));
String digestServerIpTimeKey = HexUtils.toHexString(buffer);
- if (!digestServerIpTimeKey.equals(digestclientIpTimeKey)) {
+ if (!ConstantTime.equals(digestServerIpTimeKey,
digestclientIpTimeKey, true)) {
return false;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
