Use secure_compare for hmac comparison

* Closes CVE-2013-0263
rack · Feb 7, 2013 · 0cd7e9a · tarcieri · Feb 8, 2013 · dchapman1988
1 parent 9a81b96
commit 0cd7e9a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
@@ -159,7 +159,7 @@ def destroy_session(env, session_id, options)
       def digest_match?(data, digest)
         return unless data && digest
         @secrets.any? do |secret|
-          digest == generate_hmac(data, secret)
+          Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
         end
       end