diff options
author | Vipul A M <vipulnsward@gmail.com> | 2016-04-12 02:41:06 +0530 |
---|---|---|
committer | Vipul A M <vipulnsward@gmail.com> | 2017-06-07 03:45:10 +0530 |
commit | fa487763d98ccf9c3e66fdb44f09af5c37a50fe5 (patch) | |
tree | 64fdab96c6cd6c085366c2d4c3eb6a0f83e8fbd6 /actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
parent | ac8b79d553592b3c9515940b5fe5e9d3c7ec9a45 (diff) | |
download | rails-fa487763d98ccf9c3e66fdb44f09af5c37a50fe5.tar.gz rails-fa487763d98ccf9c3e66fdb44f09af5c37a50fe5.tar.bz2 rails-fa487763d98ccf9c3e66fdb44f09af5c37a50fe5.zip |
Changed default behaviour of `ActiveSupport::SecurityUtils.secure_compare`,
to make it not leak length information even for variable length string.
Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
and started raising `ArgumentError` in case of length mismatch of passed strings.
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 5051c02a62..13662fc021 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -353,7 +353,7 @@ module ActionController #:nodoc: end def compare_with_real_token(token, session) # :doc: - ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session)) + ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session)) end def valid_per_form_csrf_token?(token, session) # :doc: @@ -364,7 +364,7 @@ module ActionController #:nodoc: request.request_method ) - ActiveSupport::SecurityUtils.secure_compare(token, correct_token) + ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, correct_token) else false end |