| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Hex encoding is base 16 which makes the original input twice as big. With this change less time need to be spent in fixed_length_secure_compare.
|
| |
|
|
|
|
|
|
| |
Even that collisions are unlikely we need to make sure the two strings
are equal.
Timing is not important in this case because this only runs after the
comparison between the SHA256 digested strings returns true.
|
| |\
| |
| |
| |
| |
| | |
vipulnsward/make-variable_size_secure_compare-public
Make variable_size_secure_compare public
|
| | |
| |
| |
| |
| |
| |
| | |
to make it not leak length information even for variable length string.
Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
and started raising `ArgumentError` in case of length mismatch of passed strings.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I got this error in production using Puma in multi-threaded mode:
```
RuntimeError: Digest::Base cannot be directly inherited in Ruby
from active_support/security_utils.rb:23:in `variable_size_secure_compare'
from active_support/security_utils.rb:23:in `hexdigest'
from active_support/security_utils.rb:23:in `digest'
```
Looks like Digest uses const_missing to load Digest::SHA256 (https://github.com/ruby/ruby/blob/trunk/ext/digest/lib/digest.rb#L8)
- https://bugs.ruby-lang.org/issues/9494
- https://github.com/ruby/ruby/commit/c02fa39463a0c6bf698b01bc610135604aca2ff4
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing
changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
|
| |/ |
|
| |
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
| |
|
|
|
|
| |
this will avoid timing attacks against applications that use basic auth.
CVE-2015-7576
|
| |
|
