Permalink
Browse files

Use secure_compare when checking CSRF token

Since string comparisions may return early we want to use a constant
time comparsion function to protect the CSRF token against timing
attacks. Rack::Utils provides a such function.
  • Loading branch information...
jeltz authored and zzak committed May 25, 2015
1 parent 0bf1125 commit d8068e872b0f19ef9de25265552cb1b835270901
Showing with 7 additions and 2 deletions.
  1. +2 −2 lib/rack/protection/authenticity_token.rb
  2. +5 −0 lib/rack/protection/base.rb
@@ -23,8 +23,8 @@ def accepts?(env)
session = session env
token = session[:csrf] ||= session['_csrf_token'] || random_string
safe?(env) ||
- env['HTTP_X_CSRF_TOKEN'] == token ||
- Request.new(env).params[options[:authenticity_param]] == token
+ secure_compare(env['HTTP_X_CSRF_TOKEN'], token) ||
+ secure_compare(Request.new(env).params[options[:authenticity_param]], token)
end
end
end
@@ -1,4 +1,5 @@
require 'rack/protection'
+require 'rack/utils'
require 'digest'
require 'logger'
require 'uri'
@@ -110,6 +111,10 @@ def encrypt(value)
options[:encryptor].hexdigest value.to_s
end
+ def secure_compare(a, b)
+ Rack::Utils.secure_compare(a.to_s, b.to_s)
+ end
+
alias default_reaction deny
def html?(headers)

0 comments on commit d8068e8

Please sign in to comment.