Aaron Patterson
f959758687
making secure_compare faster
...
[#3195 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
2009-09-13 02:44:52 -07:00
Michael Koziarski
e590508a9b
Dup the arguments to string compare so we can use force_encoding.
2009-09-13 10:36:04 +12:00
Yehuda Katz
a8a336cbfc
Revert "ruby 1.9 friendly secure_compare" because it breaks CI and Sam Ruby's suite
...
This reverts commit 5de75398c4
.
2009-09-12 14:35:03 -05:00
Jakub Kuźma
b22c951e7a
ruby 1.9 friendly secure_compare
...
Signed-off-by: Michael Koziarski <michael@koziarski.com>
2009-09-12 12:48:34 +12:00
Jeremy Kemper
aeab739bd5
Ruby 1.9: fix MessageVerifier#secure_compare
2009-09-08 14:05:33 +09:00
Coda Hale
5e6dab8b34
Fix timing attack vulnerability in ActiveSupport::MessageVerifier.
...
Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
2009-09-04 09:25:38 +12:00
Jeremy Kemper
51d155e697
Lazy-require OpenSSL
2008-11-23 15:29:03 -08:00
Michael Koziarski
f9b1aa7f4c
Don't need _message as it's in the class name already
2008-11-23 16:33:56 +01:00
Michael Koziarski
d460c9a255
Add ActiveSupport::MessageVerifier to aid users who need to store tamper-proof messages in cookies etc.
...
This is particularly useful for things like remember-me tokens in web applications and auto-unsubscribe links in emails.
2008-11-23 15:33:59 +01:00