Skip to content

Compare token fix #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
elithrar merged 2 commits into from
Feb 13, 2016
Merged

Compare token fix #24

elithrar merged 2 commits into from
Feb 13, 2016

Conversation

@elithrar
Copy link
Contributor

@elithrar elithrar commented Feb 13, 2016

Also as per goji/csrf#8

  • subtle.ConstantTimeCompare did not check for matching slice lengths prior to Go
    1.3 (fixed in https://codereview.appspot.com/118750043).
  • gorilla/csrf was released a year after this came into place.
  • Our TravisCI tests did not test against older versions of Go, and this wasn't
    caught as a result.
  • Have added Go 1.2 and Go 1.3 to the TravisCI config to address any future
    regressions.

@elithrar
[bugfix] Token comparison could fail on versions of Go < 1.3.
46fe744 
- subtle.ConstantTimeCompare did not check for matching slice lengths prior to Go
  1.3 (fixed in https://codereview.appspot.com/118750043).
- gorilla/csrf was released a year after this came into place.
- Our TravisCI tests did not test against older versions of Go, and this wasn't
  caught as a result.
- Have added Go 1.2 and Go 1.3 to the TravisCI config to address any future
  issues.
@elithrar
[ci] Updated Travis to use matrix builds.
a5a43fb
@elithrar elithrar added the bug label Feb 13, 2016
@elithrar elithrar self-assigned this Feb 13, 2016
elithrar added a commit that referenced this pull request Feb 13, 2016
@elithrar
Merge pull request #24 from gorilla/compare-token-fix
fc3cfc6 
[bugfix] Compare token fix


- subtle.ConstantTimeCompare did not check for matching slice lengths prior to Go
  1.3 (fixed in https://codereview.appspot.com/118750043).
- gorilla/csrf was released a year after this came into place.
- Our TravisCI tests did not test against older versions of Go, and this wasn't
  caught as a result.
- Have added Go 1.2 and Go 1.3 to the TravisCI config to address any future
  regressions.
@elithrar elithrar merged commit fc3cfc6 into master Feb 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@elithrar elithrar

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elithrar