mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Ensure MessageVerifier raises appropriate exception on tampered data
This commit is contained in:
parent
992c2db76c
commit
69aa5e8a86
2 changed files with 2 additions and 1 deletions
|
@ -29,7 +29,7 @@ module ActiveSupport
|
|||
raise InvalidSignature if signed_message.blank?
|
||||
|
||||
data, digest = signed_message.split("--")
|
||||
if secure_compare(digest, generate_digest(data))
|
||||
if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
|
||||
Marshal.load(ActiveSupport::Base64.decode64(data))
|
||||
else
|
||||
raise InvalidSignature
|
||||
|
|
|
@ -27,6 +27,7 @@ class MessageVerifierTest < Test::Unit::TestCase
|
|||
data, hash = @verifier.generate(@data).split("--")
|
||||
assert_not_verified("#{data.reverse}--#{hash}")
|
||||
assert_not_verified("#{data}--#{hash.reverse}")
|
||||
assert_not_verified("purejunk")
|
||||
end
|
||||
|
||||
def assert_not_verified(message)
|
||||
|
|
Loading…
Reference in a new issue