MessageVerifier#verify raises InvalidSignature if the signature is blank

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
2026-01-09 14:48:08 -05:00 · 2009-10-05 08:27:54 -04:00
parent b480da5cd6
commit 9212138ad0
2 changed files with 7 additions and 0 deletions
--- a/activesupport/lib/active_support/message_verifier.rb
+++ b/activesupport/lib/active_support/message_verifier.rb
@@ -26,6 +26,8 @@ module ActiveSupport
    end
    
    def verify(signed_message)
+      raise InvalidSignature if signed_message.blank?
+
      data, digest = signed_message.split("--")
      if secure_compare(digest, generate_digest(data))
        Marshal.load(ActiveSupport::Base64.decode64(data))
--- a/activesupport/test/message_verifier_test.rb
+++ b/activesupport/test/message_verifier_test.rb
@@ -18,6 +18,11 @@ class MessageVerifierTest < Test::Unit::TestCase
    assert_equal @data, @verifier.verify(message)
  end

+  def test_missing_signature_raises
+    assert_not_verified(nil)
+    assert_not_verified("")
+  end
+
  def test_tampered_data_raises
    data, hash = @verifier.generate(@data).split("--")
    assert_not_verified("#{data.reverse}--#{hash}")