github/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-02-19 02:44:31 -05:00
Code Issues Packages Projects Releases Wiki Activity

Make secure_compare handle empty strings comparison correctly

Browse Source 
Used Rails' secure_compare method inside the definition of
secure_compare. This will handle the empty strings comparison and
return true when both the parameters are empty strings.

Fixes #4441, #4829
This commit is contained in:
Shriram
2018-04-03 08:14:13 +05:30
committed by Carlos Antonio da Silva
parent 8054ad55c3
commit 05bbc71446
3 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/devise.rb
View File

@@ -517,12 +517,8 @@ module Devise
# constant-time comparison algorithm to prevent timing attacks
def self.secure_compare(a, b)
return false if a.blank? || b.blank? || a.bytesize != b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
return false if a.nil? || b.nil?
ActiveSupport::SecurityUtils.secure_compare(a, b)
end
def self.deprecator