diff options
author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2017-11-25 11:33:11 -0500 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2017-11-25 11:39:41 -0500 |
commit | f76ca450f5027a4fa578d939b35fe4f608f2423e (patch) | |
tree | fd2c1c4235348b953ccf8361434590a2a536753b /activesupport/lib/active_support | |
parent | 0623b5d19408ef3093bef3597bfcb12cf70a08a3 (diff) | |
download | rails-f76ca450f5027a4fa578d939b35fe4f608f2423e.tar.gz rails-f76ca450f5027a4fa578d939b35fe4f608f2423e.tar.bz2 rails-f76ca450f5027a4fa578d939b35fe4f608f2423e.zip |
Compare the actual string after comparing the HMAC proccessed strings
Even that collisions are unlikely we need to make sure the two strings
are equal.
Timing is not important in this case because this only runs after the
comparison between the SHA256 digested strings returns true.
Diffstat (limited to 'activesupport/lib/active_support')
-rw-r--r-- | activesupport/lib/active_support/security_utils.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb index 4d129bfe41..20b6b9cd3f 100644 --- a/activesupport/lib/active_support/security_utils.rb +++ b/activesupport/lib/active_support/security_utils.rb @@ -24,7 +24,7 @@ module ActiveSupport # The values are first processed by SHA256, so that we don't leak length info # via timing attacks. def secure_compare(a, b) - fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) + fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) && a == b end module_function :secure_compare end |