omniauth-oauth2 icon indicating copy to clipboard operation
omniauth-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon omniauth

Prevent timing attack on CSRF

Open eutopian opened this issue 6 years ago • 5 comments

use secure_compare instead of plain equality comparison on request and callback state to prevent timing attacks.

eutopian avatar Nov 13 '18 23:11 eutopian

Hey! Would you mind rebasing on master and removing all rubocop specific updates? I'll merge this in once that's complete. Thanks!

tmilewski avatar Dec 14 '18 21:12 tmilewski

@tmilewski Hi! Just did that, thanks!

eutopian avatar Dec 19 '18 22:12 eutopian

Prefect, thank you! I’ll try and get this pushed up later today.

Thanks again! On Dec 19, 2018, 2:35 PM -0800, Margaret Ma [email protected], wrote:

@tmilewski Hi! Just did that, thanks! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

tmilewski avatar Dec 20 '18 16:12 tmilewski

Closing and reopening to trigger CI

BobbyMcWho avatar Jan 12 '21 01:01 BobbyMcWho

I don't have permission to write to this fork but was wondering if it's possible to get this PR over the line (or the new PR I just opened which resolves the merge conflicts and spec rename) to fix an outstanding security vuln that's also affecting omniauth-auth0 downstream I didn't find a CONTRIBUTING.md but would love more information on contributing if it would help

jhartzler avatar Sep 27 '23 20:09 jhartzler