•  
      request #11244 Random value used to confirm an email change should be checked in constant time to avoid timing leak
    Infos
    #11244
    Thomas Gerbet (tgerbet)
    2018-03-07 16:15
    2018-03-06 12:20
    11285
    Details
    Random value used to confirm an email change should be checked in constant time to avoid timing leak
    Following the change made for request #11217, one small thing have been missed the random sent by mail is checked in constant time against the value we have in the DB. This might allow someone to deduce the random token through timing leaks without accessing the email address breaking the expected workflow.
    Other
    9.18
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-03-07
    Attachments
    Empty
    References

    Follow-ups