diff options
| author | Jakub Kuźma <qoobaa@gmail.com> | 2009-09-11 09:13:14 +0200 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2009-09-12 12:48:34 +1200 |
| commit | b22c951e7adabe8d37ee2804487c267d5e2006b1 (patch) | |
| tree | a829985ba11a64742a2a992edd8588d02e1ae1ec | |
| parent | ff2eb2d8085f138acc6815690b519c30e458513b (diff) | |
| download | rails-b22c951e7adabe8d37ee2804487c267d5e2006b1.tar.gz rails-b22c951e7adabe8d37ee2804487c267d5e2006b1.tar.bz2 rails-b22c951e7adabe8d37ee2804487c267d5e2006b1.zip | |
ruby 1.9 friendly secure_compare
Signed-off-by: Michael Koziarski <michael@koziarski.com>
| -rw-r--r-- | activesupport/lib/active_support/message_verifier.rb | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index 8d14423d91..5596784eff 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -38,24 +38,21 @@ module ActiveSupport end private - if "foo".respond_to?(:force_encoding) + if "foo".respond_to?(:bytesize) # constant-time comparison algorithm to prevent timing attacks + # > 1.8.6 friendly version def secure_compare(a, b) - a = a.force_encoding(Encoding::BINARY) - b = b.force_encoding(Encoding::BINARY) - - if a.length == b.length + if a.bytesize == b.bytesize result = 0 - for i in 0..(a.length - 1) - result |= a[i].ord ^ b[i].ord - end + j = b.each_byte + a.each_byte { |i| result |= i ^ j.next } result == 0 else false end end else - # For 1.8 + # For <= 1.8.6 def secure_compare(a, b) if a.length == b.length result = 0 |