1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

11 commits

Author SHA1 Message Date
Rafael Mendonça França
f76ca450f5
Compare the actual string after comparing the HMAC proccessed strings
Even that collisions are unlikely we need to make sure the two strings
are equal.

Timing is not important in this case because this only runs after the
comparison between the SHA256 digested strings returns true.
2017-11-25 11:39:41 -05:00
Rafael Mendonça França
0623b5d194
Merge pull request #24510 from vipulnsward/make-variable_size_secure_compare-public
Make variable_size_secure_compare public
2017-11-25 11:39:37 -05:00
Francesco Rodriguez
ff56fdb08d Preload digest/sha2 to avoid thread safe error.
I got this error in production using Puma in multi-threaded mode:

```
RuntimeError: Digest::Base cannot be directly inherited in Ruby
from active_support/security_utils.rb:23:in `variable_size_secure_compare'
from active_support/security_utils.rb:23:in `hexdigest'
from active_support/security_utils.rb:23:in `digest'
```

Looks like Digest uses const_missing to load Digest::SHA256 (https://github.com/ruby/ruby/blob/trunk/ext/digest/lib/digest.rb#L8)

- https://bugs.ruby-lang.org/issues/9494
- c02fa39463
2017-09-25 17:07:00 +02:00
Koichi ITO
ac717d65a3 [Active Support] rubocop -a --only Layout/EmptyLineAfterMagicComment 2017-07-11 13:12:32 +09:00
Kir Shatrov
72950568dd Use frozen-string-literal in ActiveSupport 2017-07-09 15:08:29 +03:00
Matthew Draper
87b3e226d6 Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"
This reverts commit 3420a14590, reversing
changes made to afb66a5a59.
2017-07-02 02:15:17 +09:30
Kir Shatrov
cfade1ec7e Enforce frozen string in Rubocop 2017-07-01 02:11:03 +03:00
Vipul A M
fa487763d9
Changed default behaviour of ActiveSupport::SecurityUtils.secure_compare,
to make it not leak length information even for variable length string.

    Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
    and started raising `ArgumentError` in case of length mismatch of passed strings.
2017-06-07 03:45:10 +05:30
Xavier Noria
d66e7835be applies new string literal convention in activesupport/lib
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
2016-08-06 18:10:53 +02:00
Aaron Patterson
17e6f1507b use secure string comparisons for basic auth username / password
this will avoid timing attacks against applications that use basic auth.

CVE-2015-7576
2016-01-22 14:55:14 -08:00
Guillermo Iguaran
c8c660002f Add AS::SecurityUtils.secure_compare for constant time string comparison 2014-10-23 14:54:06 -03:00