* Closes CVE-2013-0263
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -159,7 +159,7 @@ def destroy_session(env, session_id, options) | |
| def digest_match?(data, digest) | ||
| return unless data && digest | ||
| @secrets.any? do |secret| | ||
| digest == generate_hmac(data, secret) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
tarcieri
|
||
| Rack::Utils.secure_compare(digest, generate_hmac(data, secret)) | ||
| end | ||
| end | ||
|
|
||
|
|
||

Heh, funny, I looked for this vulnerability in Rails recently and saw they were using a (wonky) constant-time comparison function. Didn't think to look in Rack. Crypto is hard :(