use secure string comparisons for basic auth username / password

this will avoid timing attacks against applications that use basic auth. CVE-2015-7576
author: Aaron Patterson <aaron.patterson@gmail.com> 2015-10-29 10:42:44 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2016-01-22 14:55:14 -0800
commit: 17e6f1507b7f2c2a883c180f4f9548445d6dfbda (patch)
tree: e9dd60b7d1a2f90407b264c8e1f7555119e3c698 /activesupport
parent: 099ddfdefd44fda11d0f6a72f934f8a0ee83141b (diff)
download: rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.tar.gz
rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.tar.bz2
rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb
index 64c4801179..9be8613ada 100644
--- a/activesupport/lib/active_support/security_utils.rb
+++ b/activesupport/lib/active_support/security_utils.rb
@@ -1,3 +1,5 @@
+require 'digest'
+
 module ActiveSupport
   module SecurityUtils
     # Constant time string comparison.
@@ -16,5 +18,10 @@ module ActiveSupport
       res == 0
     end
     module_function :secure_compare
+
+    def variable_size_secure_compare(a, b) # :nodoc:
+      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
+    end
+    module_function :variable_size_secure_compare
   end
 end
author	Aaron Patterson <aaron.patterson@gmail.com>	2015-10-29 10:42:44 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2016-01-22 14:55:14 -0800
commit	17e6f1507b7f2c2a883c180f4f9548445d6dfbda (patch)
tree	e9dd60b7d1a2f90407b264c8e1f7555119e3c698 /activesupport
parent	099ddfdefd44fda11d0f6a72f934f8a0ee83141b (diff)
download	rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.tar.gz rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.tar.bz2 rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.zip