use constant-time string compare for internal api authentication (!8928) · 合并请求 · 王权利 / large

王权利请求将github/fork/Mic92/master合并到master 3月 07, 2015

Created by: Mic92

Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacs because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead.

use constant-time string compare for internal api authentication

合并请求报告