kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Compare the actual string after comparing the HMAC proccessed strings

Browse source 
Even that collisions are unlikely we need to make sure the two strings
are equal.

Timing is not important in this case because this only runs after the
comparison between the SHA256 digested strings returns true.
This commit is contained in:
Rafael Mendonça França 2017-11-25 11:33:11 -05:00
parent 0623b5d194
commit f76ca450f5
No known key found for this signature in database
GPG key ID: FC23B6D0F1EEE948
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
activesupport/lib/active_support/security_utils.rb
View file

@ -24,7 +24,7 @@ module ActiveSupport
# The values are first processed by SHA256, so that we don't leak length info
# via timing attacks.
def secure_compare(a, b)
fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) && a == b
end
module_function :secure_compare
end