diff options
| author | Jeremy Kemper <jeremy@bitsweat.net> | 2009-09-08 14:05:33 +0900 |
|---|---|---|
| committer | Jeremy Kemper <jeremy@bitsweat.net> | 2009-09-08 14:05:33 +0900 |
| commit | aeab739bd56c0bff6d1b5685eee35e557484ab4c (patch) | |
| tree | 7044e994bce5129ecb4297c2c8dbc3a09c222a20 /activesupport | |
| parent | 47aebacd51f1b35209b0b996443c45e2301e8319 (diff) | |
| download | rails-aeab739bd56c0bff6d1b5685eee35e557484ab4c.tar.gz rails-aeab739bd56c0bff6d1b5685eee35e557484ab4c.tar.bz2 rails-aeab739bd56c0bff6d1b5685eee35e557484ab4c.zip | |
Ruby 1.9: fix MessageVerifier#secure_compare
Diffstat (limited to 'activesupport')
| -rw-r--r-- | activesupport/lib/active_support/message_verifier.rb | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index aae5a3416d..8d14423d91 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -38,16 +38,34 @@ module ActiveSupport end private - # constant-time comparison algorithm to prevent timing attacks - def secure_compare(a, b) - if a.length == b.length - result = 0 - for i in 0..(a.length - 1) - result |= a[i] ^ b[i] + if "foo".respond_to?(:force_encoding) + # constant-time comparison algorithm to prevent timing attacks + def secure_compare(a, b) + a = a.force_encoding(Encoding::BINARY) + b = b.force_encoding(Encoding::BINARY) + + if a.length == b.length + result = 0 + for i in 0..(a.length - 1) + result |= a[i].ord ^ b[i].ord + end + result == 0 + else + false + end + end + else + # For 1.8 + def secure_compare(a, b) + if a.length == b.length + result = 0 + for i in 0..(a.length - 1) + result |= a[i] ^ b[i] + end + result == 0 + else + false end - result == 0 - else - false end end |