From 73209aa7a3abb942e144e358135e5d39a70294fd Mon Sep 17 00:00:00 2001
From: Bart de Water <bart@somnilocode.nl>
Date: Wed, 27 Jul 2016 13:41:40 +0200
Subject: Add rationale for manually checking auth_tag length, which got lost
 when #25874 was squashed before merging [skip ci]

---
 activesupport/lib/active_support/message_encryptor.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'activesupport/lib/active_support/message_encryptor.rb')

diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb
index 87efe117c5..1f2736388d 100644
--- a/activesupport/lib/active_support/message_encryptor.rb
+++ b/activesupport/lib/active_support/message_encryptor.rb
@@ -99,6 +99,10 @@ module ActiveSupport
     def _decrypt(encrypted_message)
       cipher = new_cipher
       encrypted_data, iv, auth_tag = encrypted_message.split("--".freeze).map {|v| ::Base64.strict_decode64(v)}
+
+      # Currently the OpenSSL bindings do not raise an error if auth_tag is
+      # truncated, which would allow an attacker to easily forge it. See
+      # https://github.com/ruby/openssl/issues/63
       raise InvalidMessage if aead_mode? && auth_tag.bytes.length != 16
 
       cipher.decrypt
-- 
cgit v1.2.3