From 2327b262886d90d181428ad730d2abb98bf33bbd Mon Sep 17 00:00:00 2001
From: metsw24-max <metsw24@gmail.com>
Date: Mon, 1 Jun 2026 23:12:24 +0530
Subject: [PATCH 1/2] compare XSRF token in constant time

---
 .../gwt/user/server/rpc/XsrfProtectedServiceServlet.java     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
index 43702cc0794..c1d29171a31 100644
--- a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
+++ b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
@@ -23,6 +23,7 @@
 import com.google.gwt.util.tools.shared.StringUtils;
 
 import java.lang.reflect.Method;
+import java.security.MessageDigest;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -115,8 +116,10 @@ protected void validateXsrfToken(RpcToken token, Method method)
     String expectedToken = StringUtils.toHexString(
         Md5Utils.getMd5Digest(sessionCookie.getValue().getBytes()));
     XsrfToken xsrfToken = (XsrfToken) token;
+    String providedToken = xsrfToken.getToken();
 
-    if (!expectedToken.equals(xsrfToken.getToken())) {
+    if (providedToken == null || !MessageDigest.isEqual(
+        expectedToken.getBytes(), providedToken.getBytes())) {
       throw new RpcTokenException("Invalid XSRF token");
     }
   }

From 59f9397325b7fcf9cb754e8f63e83decb7f80bf5 Mon Sep 17 00:00:00 2001
From: metsw24-max <metsw24@gmail.com>
Date: Tue, 2 Jun 2026 11:49:51 +0530
Subject: [PATCH 2/2] Specify UTF-8 charset when comparing XSRF token bytes

---
 .../gwt/user/server/rpc/XsrfProtectedServiceServlet.java      | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
index c1d29171a31..05d95a5c79c 100644
--- a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
+++ b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
@@ -23,6 +23,7 @@
 import com.google.gwt.util.tools.shared.StringUtils;
 
 import java.lang.reflect.Method;
+import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 
 import javax.servlet.ServletException;
@@ -119,7 +120,8 @@ protected void validateXsrfToken(RpcToken token, Method method)
     String providedToken = xsrfToken.getToken();
 
     if (providedToken == null || !MessageDigest.isEqual(
-        expectedToken.getBytes(), providedToken.getBytes())) {
+        expectedToken.getBytes(StandardCharsets.UTF_8),
+        providedToken.getBytes(StandardCharsets.UTF_8))) {
       throw new RpcTokenException("Invalid XSRF token");
     }
   }