Use secure_compare for hmac comparison

* Closes CVE-2013-0263
rack · Feb 7, 2013 · 26c8500 · 26c8500
1 parent feea59c
commit 26c8500
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
@@ -112,7 +112,7 @@ def unpacked_cookie_data(env)
 
           if @secret && session_data
             session_data, digest = session_data.split("--")
-            session_data = nil  unless digest == generate_hmac(session_data)
+            session_data = nil  unless Rack::Utils.secure_compare(digest, generate_hmac(session_data))
           end
 
           coder.decode(session_data) || {}