Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Ensure MessageVerifier raises appropriate exception on tampered data

  • Loading branch information...
commit 48b30608a43afa0c2801f98a141e09a912d5dc0d 1 parent 95b7e4f
@lifo lifo authored
View
2  activesupport/lib/active_support/message_verifier.rb
@@ -27,7 +27,7 @@ def verify(signed_message)
raise InvalidSignature if signed_message.blank?
data, digest = signed_message.split("--")
- if secure_compare(digest, generate_digest(data))
+ if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
Marshal.load(ActiveSupport::Base64.decode64(data))
else
raise InvalidSignature
View
1  activesupport/test/message_verifier_test.rb
@@ -20,6 +20,7 @@ def test_tampered_data_raises
data, hash = @verifier.generate(@data).split("--")
assert_not_verified("#{data.reverse}--#{hash}")
assert_not_verified("#{data}--#{hash.reverse}")
+ assert_not_verified("purejunk")
end
def assert_not_verified(message)
Please sign in to comment.
Something went wrong with that request. Please try again.