From 0de876c53fe9355f1e9a73e923519f2a2241f527 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Thu, 29 Oct 2015 10:42:44 -0700 Subject: [PATCH] use secure string comparisons for basic auth username / password this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb CVE-2015-7576 --- .../action_controller/metal/http_authentication.rb | 7 +++++- activesupport/lib/active_support/security_utils.rb | 27 ++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 activesupport/lib/active_support/security_utils.rb diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb new file mode 100644 index 0000000..bb22125 --- /dev/null +++ b/activesupport/lib/active_support/security_utils.rb @@ -0,0 +1,27 @@ +require 'digest' + +module ActiveSupport + module SecurityUtils + # Constant time string comparison. + # + # The values compared should be of fixed length, such as strings + # that have already been processed by HMAC. This should not be used + # on variable length plaintext strings because it could leak length info + # via timing attacks. + def secure_compare(a, b) + return false unless a.bytesize == b.bytesize + + l = a.unpack "C#{a.bytesize}" + + res = 0 + b.each_byte { |byte| res |= byte ^ l.shift } + res == 0 + end + module_function :secure_compare + + def variable_size_secure_compare(a, b) # :nodoc: + secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) + end + module_function :variable_size_secure_compare + end +end -- 2.2.1