AtHeartEngineer/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-01-10 08:08:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Make secure_compare handle empty strings comparison correctly

Browse Source 
Used Rails' secure_compare method inside the definition of secure_compare. This will handle the empty strings comparison and return true when both the parameters are blank strings.

Fixes #4441
This commit is contained in:
Shriram
2018-04-03 08:14:13 +05:30
committed by Marcos Ferreira
parent afaad713ff
commit 64238fc80e
2 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/devise.rb
View File

@@ -502,12 +502,8 @@ module Devise
# constant-time comparison algorithm to prevent timing attacks
def self.secure_compare(a, b)
return false if a.blank? || b.blank? || a.bytesize != b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
return false if a.nil? || b.nil?
ActiveSupport::SecurityUtils.secure_compare(a, b)
end
end

5
test/devise_test.rb
View File

@@ -90,11 +90,14 @@ class DeviseTest < ActiveSupport::TestCase
[nil, ""].each do |empty|
refute Devise.secure_compare(empty, "something")
refute Devise.secure_compare("something", empty)
refute Devise.secure_compare(empty, empty)
end
refute Devise.secure_compare("size_1", "size_four")
end
test 'Devise.secure_compare should return true if strings are same' do
assert Devise.secure_compare('', '')
end
test 'Devise.email_regexp should match valid email addresses' do
valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua", "test@tt", "test@valid---domain.com"]
non_valid_emails = ["rex", "test user@example.com", "test_user@example server.com"]