Add rationale for manually checking auth_tag length, which got lost when #25874 was squashed before merging [skip ci]

author: Bart de Water <bart@somnilocode.nl> 2016-07-27 13:41:40 +0200
committer: Bart de Water <bart@somnilocode.nl> 2016-07-27 13:41:40 +0200
commit: 73209aa7a3abb942e144e358135e5d39a70294fd (patch)
tree: c7a79db37aa5072515d043a60379b371690d00ed /activesupport/lib/active_support/message_encryptor.rb
parent: 7e6996a1b36cdf8158a27eeaa7e6d97a05994707 (diff)
download: rails-73209aa7a3abb942e144e358135e5d39a70294fd.tar.gz
rails-73209aa7a3abb942e144e358135e5d39a70294fd.tar.bz2
rails-73209aa7a3abb942e144e358135e5d39a70294fd.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb
index 87efe117c5..1f2736388d 100644
--- a/activesupport/lib/active_support/message_encryptor.rb
+++ b/activesupport/lib/active_support/message_encryptor.rb
@@ -99,6 +99,10 @@ module ActiveSupport
     def _decrypt(encrypted_message)
       cipher = new_cipher
       encrypted_data, iv, auth_tag = encrypted_message.split("--".freeze).map {|v| ::Base64.strict_decode64(v)}
+
+      # Currently the OpenSSL bindings do not raise an error if auth_tag is
+      # truncated, which would allow an attacker to easily forge it. See
+      # https://github.com/ruby/openssl/issues/63
       raise InvalidMessage if aead_mode? && auth_tag.bytes.length != 16
 
       cipher.decrypt
author	Bart de Water <bart@somnilocode.nl>	2016-07-27 13:41:40 +0200
committer	Bart de Water <bart@somnilocode.nl>	2016-07-27 13:41:40 +0200
commit	73209aa7a3abb942e144e358135e5d39a70294fd (patch)
tree	c7a79db37aa5072515d043a60379b371690d00ed /activesupport/lib/active_support/message_encryptor.rb
parent	7e6996a1b36cdf8158a27eeaa7e6d97a05994707 (diff)
download	rails-73209aa7a3abb942e144e358135e5d39a70294fd.tar.gz rails-73209aa7a3abb942e144e358135e5d39a70294fd.tar.bz2 rails-73209aa7a3abb942e144e358135e5d39a70294fd.zip