diff options
author | James Tucker <jftucker@gmail.com> | 2013-02-07 14:47:10 -0800 |
---|---|---|
committer | James Tucker <jftucker@gmail.com> | 2013-02-07 18:33:34 -0800 |
commit | dcc7e6fa5106e1e8129f4bbe21f7e1607dbf5197 (patch) | |
tree | a31bb770271397e46782bd2cf902d730dccaef90 | |
parent | 8748d492a4bc966de51f2ddf8edd498a3fa0e122 (diff) | |
download | rack-dcc7e6fa5106e1e8129f4bbe21f7e1607dbf5197.tar.gz |
Use secure_compare for hmac comparison
* Closes CVE-2013-0263
-rw-r--r-- | lib/rack/session/cookie.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb index f2de5407..5aa80cb6 100644 --- a/lib/rack/session/cookie.rb +++ b/lib/rack/session/cookie.rb @@ -165,7 +165,7 @@ module Rack def digest_match?(data, digest) return unless data && digest @secrets.any? do |secret| - digest == generate_hmac(data, secret) + Rack::Utils.secure_compare(digest, generate_hmac(data, secret)) end end |