Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

ruby 1.9 friendly secure_compare

Signed-off-by: Michael Koziarski <michael@koziarski.com>
  • Loading branch information...
commit b22c951e7adabe8d37ee2804487c267d5e2006b1 1 parent ff2eb2d
@qoobaa qoobaa authored NZKoz committed
Showing with 6 additions and 9 deletions.
  1. +6 −9 activesupport/lib/active_support/message_verifier.rb
View
15 activesupport/lib/active_support/message_verifier.rb
@@ -38,24 +38,21 @@ def generate(value)
end
private
- if "foo".respond_to?(:force_encoding)
+ if "foo".respond_to?(:bytesize)
# constant-time comparison algorithm to prevent timing attacks
+ # > 1.8.6 friendly version
def secure_compare(a, b)
- a = a.force_encoding(Encoding::BINARY)
- b = b.force_encoding(Encoding::BINARY)
-
- if a.length == b.length
+ if a.bytesize == b.bytesize
result = 0
- for i in 0..(a.length - 1)
- result |= a[i].ord ^ b[i].ord
- end
+ j = b.each_byte
+ a.each_byte { |i| result |= i ^ j.next }
result == 0
else
false
end
end
else
- # For 1.8
+ # For <= 1.8.6
def secure_compare(a, b)
if a.length == b.length
result = 0

2 comments on commit b22c951

@rubys

Stack traceback for Ruby 1.8.7:

/home/rubys/git/awdwr/work/depot/vendor/rails/activesupport/lib/active_support/message_verifier.rb:47:in `each_byte'
/home/rubys/git/awdwr/work/depot/vendor/rails/activesupport/lib/active_support/message_verifier.rb:47:in `secure_compare'
/home/rubys/git/awdwr/work/depot/vendor/rails/activesupport/lib/active_support/message_verifier.rb:28:in `verify'
/home/rubys/git/awdwr/work/depot/vendor/rails/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb:170:in `unmarshal'
Please sign in to comment.
Something went wrong with that request. Please try again.