Commit
* Closes CVE-2013-0263
- Loading branch information
There are no files selected for viewing
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
|
@@ -159,7 +159,7 @@ def destroy_session(env, session_id, options) | ||
def digest_match?(data, digest) | def digest_match?(data, digest) | ||
return unless data && digest | return unless data && digest | ||
@secrets.any? do |secret| | @secrets.any? do |secret| | ||
digest == generate_hmac(data, secret) | Rack::Utils.secure_compare(digest, generate_hmac(data, secret)) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
tarcieri
|
|||
end | end | ||
end | end | ||
|
|
||
|
Heh, funny, I looked for this vulnerability in Rails recently and saw they were using a (wonky) constant-time comparison function. Didn't think to look in Rack. Crypto is hard :(