diff options
author | Emilio Tagua <miloops@gmail.com> | 2009-09-08 15:38:51 -0300 |
---|---|---|
committer | Emilio Tagua <miloops@gmail.com> | 2009-09-08 15:38:51 -0300 |
commit | 670281c6b2e9b9e8c51a140f2a5f66b251f1b84b (patch) | |
tree | ab141872d72e010c8a0fe371d22a00914c97e1eb /activesupport/lib/active_support/message_verifier.rb | |
parent | 39e4e76d15233bb1cb0b778d920f54efe86bb4f0 (diff) | |
parent | 1a0f822037c408a392ffa7b6e1ecbe5951ab48db (diff) | |
download | rails-670281c6b2e9b9e8c51a140f2a5f66b251f1b84b.tar.gz rails-670281c6b2e9b9e8c51a140f2a5f66b251f1b84b.tar.bz2 rails-670281c6b2e9b9e8c51a140f2a5f66b251f1b84b.zip |
Merge commit 'rails/master'
Conflicts:
activerecord/lib/active_record/associations.rb
Diffstat (limited to 'activesupport/lib/active_support/message_verifier.rb')
-rw-r--r-- | activesupport/lib/active_support/message_verifier.rb | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index b24acb9f47..aae5a3416d 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -25,10 +25,10 @@ module ActiveSupport def verify(signed_message) data, digest = signed_message.split("--") - if digest != generate_digest(data) - raise InvalidSignature - else + if secure_compare(digest, generate_digest(data)) Marshal.load(ActiveSupport::Base64.decode64(data)) + else + raise InvalidSignature end end @@ -38,6 +38,19 @@ module ActiveSupport end private + # constant-time comparison algorithm to prevent timing attacks + def secure_compare(a, b) + if a.length == b.length + result = 0 + for i in 0..(a.length - 1) + result |= a[i] ^ b[i] + end + result == 0 + else + false + end + end + def generate_digest(data) require 'openssl' unless defined?(OpenSSL) OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), @secret, data) |