Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #11244 Random value used to confirm an email change should be checked in constant time to avoid timing leak
    Actions
    Infos
    #11244
    Thomas Gerbet (tgerbet)
    2018-03-07 16:15
    2018-03-06 12:20
    11575
    Details
    Random value used to confirm an email change should be checked in constant time to avoid timing leak
    Following the change made for request #11217, one small thing have been missed the random sent by mail is checked in constant time against the value we have in the DB. This might allow someone to deduce the random token through timing leaks without accessing the email address breaking the expected workflow.
    Other
    9.18
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-03-07
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10994 Tuleap Releases 9.19 Delivered 2018-04-04 14:53 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #11244

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/47/10747/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD a24af40f6c
    User avatar Nicolas Terray (nterray) , 2018-03-07 16:17
    request #11244: Random value used to confirm an email change should be checked in constant time fbb89578ee
    User avatar Thomas Gerbet (tgerbet) , 2018-03-07 13:44
    Display settings

    Follow-ups