From c76a8c72d550734fc55877deecba0bf5dcc63c17 Mon Sep 17 00:00:00 2001 From: Bart de Water Date: Sat, 9 Mar 2019 10:56:39 -0500 Subject: [PATCH] Don't encode in secure_compare for speedup Hex encoding is base 16 which makes the original input twice as big. With this change less time need to be spent in fixed_length_secure_compare. --- activesupport/lib/active_support/security_utils.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb index 20b6b9cd3f..5e455fca57 100644 --- a/activesupport/lib/active_support/security_utils.rb +++ b/activesupport/lib/active_support/security_utils.rb @@ -24,7 +24,7 @@ module ActiveSupport # The values are first processed by SHA256, so that we don't leak length info # via timing attacks. def secure_compare(a, b) - fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) && a == b + fixed_length_secure_compare(::Digest::SHA256.digest(a), ::Digest::SHA256.digest(b)) && a == b end module_function :secure_compare end