This project is archived and is in readonly mode.

Changeset [5e6dab8b34152bc48c89032d20e5bda1511e28fb] by Coda Hale

September 3rd, 2009 @ 10:25 PM

Fix timing attack vulnerability in ActiveSupport::MessageVerifier.

Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC.

Signed-off-by: Michael Koziarski michael@koziarski.com
http://github.com/rails/rails/commit/5e6dab8b34152bc48c89032d20e5bd...

Committed by Coda Hale

  • M activesupport/lib/active_support/message_verifier.rb

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>