Permalink
Browse files

Ensure MessageVerifier raises appropriate exception on tampered data

  • Loading branch information...
1 parent 95b7e4f commit 48b30608a43afa0c2801f98a141e09a912d5dc0d @lifo lifo committed Oct 9, 2009
View
2 activesupport/lib/active_support/message_verifier.rb
@@ -27,7 +27,7 @@ def verify(signed_message)
raise InvalidSignature if signed_message.blank?
data, digest = signed_message.split("--")
- if secure_compare(digest, generate_digest(data))
+ if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
Marshal.load(ActiveSupport::Base64.decode64(data))
else
raise InvalidSignature
View
1 activesupport/test/message_verifier_test.rb
@@ -20,6 +20,7 @@ def test_tampered_data_raises
data, hash = @verifier.generate(@data).split("--")
assert_not_verified("#{data.reverse}--#{hash}")
assert_not_verified("#{data}--#{hash.reverse}")
+ assert_not_verified("purejunk")
end
def assert_not_verified(message)

0 comments on commit 48b3060

Please sign in to comment.