Skip to content
This repository
Browse code

simplifying comparisons (avoind too much negatives) and adding unit t…

…est cases
  • Loading branch information...
commit e4cae200f4a55a86774ba98a3182d4c9fb7b0436 1 parent a535b04
Guilherme Silveira guilhermesilveira authored josevalim committed

Showing 2 changed files with 11 additions and 2 deletions. Show diff stats Hide diff stats

  1. +1 2  lib/devise.rb
  2. +10 0 test/devise_test.rb
3  lib/devise.rb
@@ -378,8 +378,7 @@ def self.friendly_token
378 378
379 379 # constant-time comparison algorithm to prevent timing attacks
380 380 def self.secure_compare(a, b)
381   - return false unless a.present? && b.present?
382   - return false unless a.bytesize == b.bytesize
  381 + return false if a.blank? || b.blank? || a.bytesize != b.bytesize
383 382 l = a.unpack "C#{a.bytesize}"
384 383
385 384 res = 0
10 test/devise_test.rb
@@ -62,4 +62,14 @@ class DeviseTest < ActiveSupport::TestCase
62 62 assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
63 63 assert defined?(Devise::Models::AuthenticatableAgain)
64 64 end
  65 +
  66 + test 'should complain when comparing empty or different sized passes' do
  67 + [nil, ""].each do |empty|
  68 + assert_not Devise.secure_compare(empty, "something")
  69 + assert_not Devise.secure_compare("something", empty)
  70 + assert_not Devise.secure_compare(empty, empty)
  71 + end
  72 + assert_not Devise.secure_compare("size_1", "size_four")
  73 + end
  74 +
65 75 end

0 comments on commit e4cae20

Please sign in to comment.
Something went wrong with that request. Please try again.