Spring Security Use constant time comparisons for CSRF tokens

While it is not a practical exploit at this point, it is best to be defensive. We should change CSRF token comparison to use a constant time comparison to avoid side channel attacks.

NOTE: This was originally reported via Xhelal Likaj, xhelallikaj20@gmail.com

Comment From: ogarber

Hi @rwinch , I have a question: will this fix also be merged in the older pipe-lines (I'm interesting in 5.2.x...). Thank you in advance

Comment From: ogarber

Hi @rwinch , sorry for annoying... Did you see my previous comment?

Comment From: itsmevj

Hi @rwinch, will this fix will be merged in older versions like 5.2.x or when can we expect this release

Comment From: rwinch

I have backported the issue (see the linked issues). Each issue has a milestone with the expected release date.

Comment From: ogarber

Thank you @rwinch !

Comment From: andydkelly-ig

@rwinch will this be backported to the 5.1.X train at all? Thanks

Comment From: rwinch

Spring Security follows the underlining Spring Framework supported versions https://github.com/spring-projects/spring-framework/wiki/Spring-Framework-Versions#supported-versions

In particular, Spring Security 5.1 uses Spring Framework 5.1. Since Spring Framework 5.1 is not actively supported, neither is Spring Security 5.1.

Comment From: andydkelly-ig

thanks for responding @rwinch