|
 |
1244de |
From 0de876c53fe9355f1e9a73e923519f2a2241f527 Mon Sep 17 00:00:00 2001
|
|
|
1244de |
From: Aaron Patterson <aaron.patterson@gmail.com>
|
|
|
1244de |
Date: Thu, 29 Oct 2015 10:42:44 -0700
|
|
|
1244de |
Subject: [PATCH] use secure string comparisons for basic auth username /
|
|
|
1244de |
password
|
|
|
1244de |
|
|
|
1244de |
this will avoid timing attacks against applications that use basic auth.
|
|
|
1244de |
|
|
|
1244de |
Conflicts:
|
|
|
1244de |
activesupport/lib/active_support/security_utils.rb
|
|
|
1244de |
|
|
|
1244de |
CVE-2015-7576
|
|
|
1244de |
---
|
|
|
1244de |
.../action_controller/metal/http_authentication.rb | 7 +++++-
|
|
|
1244de |
activesupport/lib/active_support/security_utils.rb | 27 ++++++++++++++++++++++
|
|
|
1244de |
2 files changed, 33 insertions(+), 1 deletion(-)
|
|
|
1244de |
create mode 100644 activesupport/lib/active_support/security_utils.rb
|
|
|
1244de |
|
|
|
1244de |
diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb
|
|
|
1244de |
new file mode 100644
|
|
|
1244de |
index 0000000..bb22125
|
|
|
1244de |
--- /dev/null
|
|
|
1244de |
+++ b/activesupport/lib/active_support/security_utils.rb
|
|
|
1244de |
@@ -0,0 +1,27 @@
|
|
|
1244de |
+require 'digest'
|
|
|
1244de |
+
|
|
|
1244de |
+module ActiveSupport
|
|
|
1244de |
+ module SecurityUtils
|
|
|
1244de |
+ # Constant time string comparison.
|
|
|
1244de |
+ #
|
|
|
1244de |
+ # The values compared should be of fixed length, such as strings
|
|
|
1244de |
+ # that have already been processed by HMAC. This should not be used
|
|
|
1244de |
+ # on variable length plaintext strings because it could leak length info
|
|
|
1244de |
+ # via timing attacks.
|
|
|
1244de |
+ def secure_compare(a, b)
|
|
|
1244de |
+ return false unless a.bytesize == b.bytesize
|
|
|
1244de |
+
|
|
|
1244de |
+ l = a.unpack "C#{a.bytesize}"
|
|
|
1244de |
+
|
|
|
1244de |
+ res = 0
|
|
|
1244de |
+ b.each_byte { |byte| res |= byte ^ l.shift }
|
|
|
1244de |
+ res == 0
|
|
|
1244de |
+ end
|
|
|
1244de |
+ module_function :secure_compare
|
|
|
1244de |
+
|
|
|
1244de |
+ def variable_size_secure_compare(a, b) # :nodoc:
|
|
|
1244de |
+ secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
|
|
|
1244de |
+ end
|
|
|
1244de |
+ module_function :variable_size_secure_compare
|
|
|
1244de |
+ end
|
|
|
1244de |
+end
|
|
|
1244de |
--
|
|
|
1244de |
2.2.1
|
|
|
1244de |
|