Use secure compare.

2026-04-28 03:00:29 -04:00 · 2011-02-15 20:17:15 +01:00
parent 9b0b505159
commit eb2385ad17
2 changed files with 12 additions and 1 deletions
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -210,6 +210,17 @@ module Devise
      ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
    end

+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false unless a.present? && b.present?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
    # Make Devise aware of an 3rd party Devise-module. For convenience.
    #
    # == Options:
--- a/lib/devise/models/database_authenticatable.rb
+++ b/lib/devise/models/database_authenticatable.rb
@@ -55,7 +55,7 @@ module Devise

      # Verifies whether an incoming_password (ie from sign in) is the user password.
      def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
      end

      # Checks if a resource is valid upon authentication.