Use secure_compare for hmac comparison

* Closes CVE-2013-0263
author: James Tucker <jftucker@gmail.com> 2013-02-07 14:47:10 -0800
committer: James Tucker <jftucker@gmail.com> 2013-02-07 18:33:34 -0800
commit: dcc7e6fa5106e1e8129f4bbe21f7e1607dbf5197 (patch)
tree: a31bb770271397e46782bd2cf902d730dccaef90
parent: 8748d492a4bc966de51f2ddf8edd498a3fa0e122 (diff)
download: rack-dcc7e6fa5106e1e8129f4bbe21f7e1607dbf5197.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index f2de5407..5aa80cb6 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -165,7 +165,7 @@ module Rack
        def digest_match?(data, digest)
          return unless data && digest
          @secrets.any? do |secret|
-          digest == generate_hmac(data, secret)
+          Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
          end
        end
author	James Tucker <jftucker@gmail.com>	2013-02-07 14:47:10 -0800
committer	James Tucker <jftucker@gmail.com>	2013-02-07 18:33:34 -0800
commit	dcc7e6fa5106e1e8129f4bbe21f7e1607dbf5197 (patch)
tree	a31bb770271397e46782bd2cf902d730dccaef90
parent	8748d492a4bc966de51f2ddf8edd498a3fa0e122 (diff)
download	rack-dcc7e6fa5106e1e8129f4bbe21f7e1607dbf5197.tar.gz