simplifying comparisons (avoind too much negatives) and adding unit test cases

2011-02-27 11:41:22 +08:00 · 2011-02-27 11:41:22 +08:00 · e4cae200f4
parent a535b047ff
commit e4cae200f4
2 changed files with 11 additions and 2 deletions
--- a/lib/devise.rb
+++ b/lib/devise.rb
@ -378,8 +378,7 @@ module Devise

  # constant-time comparison algorithm to prevent timing attacks
  def self.secure_compare(a, b)
-    return false unless a.present? && b.present?
-    return false unless a.bytesize == b.bytesize
+    return false if a.blank? || b.blank? || a.bytesize != b.bytesize
    l = a.unpack "C#{a.bytesize}"

    res = 0
--- a/test/devise_test.rb
+++ b/test/devise_test.rb
@ -62,4 +62,14 @@ class DeviseTest < ActiveSupport::TestCase
    assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
    assert defined?(Devise::Models::AuthenticatableAgain)
  end
+  
+  test 'should complain when comparing empty or different sized passes' do
+    [nil, ""].each do |empty|
+      assert_not Devise.secure_compare(empty, "something")
+      assert_not Devise.secure_compare("something", empty)
+      assert_not Devise.secure_compare(empty, empty)
+    end
+    assert_not Devise.secure_compare("size_1", "size_four")
+  end
+  
 end