kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

Use secure_compare when checking CSRF token

Browse source 
Since string comparisions may return early we want to use a constant
time comparsion function to protect the CSRF token against timing
attacks. Rack::Utils provides a such function.
This commit is contained in:
Andreas Karlsson 2015-05-25 19:37:29 +02:00 committed by Zachary Scott
parent c419868ca3
commit 8aa6c42ef7
2 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
rack-protection/lib/rack/protection/authenticity_token.rb
View file

@ -23,8 +23,8 @@ module Rack
session = session env
token = session[:csrf] ||= session['_csrf_token'] || random_string
safe?(env) ||
env['HTTP_X_CSRF_TOKEN'] == token ||
Request.new(env).params[options[:authenticity_param]] == token
secure_compare(env['HTTP_X_CSRF_TOKEN'], token) ||
secure_compare(Request.new(env).params[options[:authenticity_param]], token)
end
end
end

5
rack-protection/lib/rack/protection/base.rb
View file

@ -1,4 +1,5 @@
require 'rack/protection'
require 'rack/utils'
require 'digest'
require 'logger'
require 'uri'
@ -110,6 +111,10 @@ module Rack
options[:encryptor].hexdigest value.to_s
end
def secure_compare(a, b)
Rack::Utils.secure_compare(a.to_s, b.to_s)
end
alias default_reaction deny
def html?(headers)