secure_compare: Check byte size instead of length
Match fixed_length_secure_compare's guard clause. References #39142.
This commit is contained in:
parent
d264276288
commit
92b8cda4c9
|
@ -31,7 +31,7 @@ module ActiveSupport
|
|||
# the secret length. This should be considered when using secure_compare
|
||||
# to compare weak, short secrets to user input.
|
||||
def secure_compare(a, b)
|
||||
a.length == b.length && fixed_length_secure_compare(a, b)
|
||||
a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
|
||||
end
|
||||
module_function :secure_compare
|
||||
end
|
||||
|
|
|
@ -9,6 +9,10 @@ class SecurityUtilsTest < ActiveSupport::TestCase
|
|||
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "b")
|
||||
end
|
||||
|
||||
def test_secure_compare_return_false_on_bytesize_mismatch
|
||||
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "\u{ff41}")
|
||||
end
|
||||
|
||||
def test_fixed_length_secure_compare_should_perform_string_comparison
|
||||
assert ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "a")
|
||||
assert_not ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "b")
|
||||
|
|
Loading…
Reference in New Issue