mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Use secure_compare when checking CSRF token
Since string comparisions may return early we want to use a constant time comparsion function to protect the CSRF token against timing attacks. Rack::Utils provides a such function.
This commit is contained in:
parent
c419868ca3
commit
8aa6c42ef7
2 changed files with 7 additions and 2 deletions
|
@ -23,8 +23,8 @@ module Rack
|
|||
session = session env
|
||||
token = session[:csrf] ||= session['_csrf_token'] || random_string
|
||||
safe?(env) ||
|
||||
env['HTTP_X_CSRF_TOKEN'] == token ||
|
||||
Request.new(env).params[options[:authenticity_param]] == token
|
||||
secure_compare(env['HTTP_X_CSRF_TOKEN'], token) ||
|
||||
secure_compare(Request.new(env).params[options[:authenticity_param]], token)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
require 'rack/protection'
|
||||
require 'rack/utils'
|
||||
require 'digest'
|
||||
require 'logger'
|
||||
require 'uri'
|
||||
|
@ -110,6 +111,10 @@ module Rack
|
|||
options[:encryptor].hexdigest value.to_s
|
||||
end
|
||||
|
||||
def secure_compare(a, b)
|
||||
Rack::Utils.secure_compare(a.to_s, b.to_s)
|
||||
end
|
||||
|
||||
alias default_reaction deny
|
||||
|
||||
def html?(headers)
|
||||
|
|
Loading…
Reference in a new issue