aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
diff options
context:
space:
mode:
authorVipul A M <vipulnsward@gmail.com>2016-04-12 02:41:06 +0530
committerVipul A M <vipulnsward@gmail.com>2017-06-07 03:45:10 +0530
commitfa487763d98ccf9c3e66fdb44f09af5c37a50fe5 (patch)
tree64fdab96c6cd6c085366c2d4c3eb6a0f83e8fbd6 /actionpack/lib/action_controller/metal/request_forgery_protection.rb
parentac8b79d553592b3c9515940b5fe5e9d3c7ec9a45 (diff)
downloadrails-fa487763d98ccf9c3e66fdb44f09af5c37a50fe5.tar.gz
rails-fa487763d98ccf9c3e66fdb44f09af5c37a50fe5.tar.bz2
rails-fa487763d98ccf9c3e66fdb44f09af5c37a50fe5.zip
Changed default behaviour of `ActiveSupport::SecurityUtils.secure_compare`,
to make it not leak length information even for variable length string. Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`, and started raising `ArgumentError` in case of length mismatch of passed strings.
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb4
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 5051c02a62..13662fc021 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -353,7 +353,7 @@ module ActionController #:nodoc:
end
def compare_with_real_token(token, session) # :doc:
- ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
+ ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
end
def valid_per_form_csrf_token?(token, session) # :doc:
@@ -364,7 +364,7 @@ module ActionController #:nodoc:
request.request_method
)
- ActiveSupport::SecurityUtils.secure_compare(token, correct_token)
+ ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, correct_token)
else
false
end