Attachment 696259 Details for Bug 909071 – Modified patch for rack 1.3.0

[patch] Modified patch for rack 1.3.0

rubygem-rack-1.3.0-cookie-timing-attack-fix.patch (text/plain), 2.04 KB, created by Brenton Leanhardt on 2013-02-11 19:53:25 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Brenton Leanhardt

Created: 2013-02-11 19:53:25 UTC

Size: 2.04 KB

patch

obsolete

>diff -ur rubygem-rack-1.3.0/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/session/cookie.rb rubygem-rack-1.3.0.new/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/session/cookie.rb
>--- rubygem-rack-1.3.0/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/session/cookie.rb	2013-02-11 10:01:30.281000007 -0500
>+++ rubygem-rack-1.3.0.new/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/session/cookie.rb	2013-02-11 12:59:20.666000007 -0500
>@@ -103,7 +103,7 @@
> 
>           if @secret && session_data
>             session_data, digest = session_data.split("--")
>-            session_data = nil  unless digest == generate_hmac(session_data)
>+            session_data = nil  unless digest_match?(session_data, digest)
>           end
> 
>           coder.decode(session_data) || {}
>@@ -143,6 +143,11 @@
>         generate_sid unless options[:drop]
>       end
> 
>+      def digest_match?(data, digest)
>+        return unless data && digest
>+        Rack::Utils.secure_compare(digest, generate_hmac(data))
>+      end
>+
>       def generate_hmac(data)
>         OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, @secret, data)
>       end
>diff -ur rubygem-rack-1.3.0/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/utils.rb rubygem-rack-1.3.0.new/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/utils.rb
>--- rubygem-rack-1.3.0/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/utils.rb	2013-02-11 10:01:56.809000007 -0500
>+++ rubygem-rack-1.3.0.new/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/utils.rb	2013-02-11 12:57:50.214000007 -0500
>@@ -335,6 +335,18 @@
>     end
>     module_function :byte_ranges
> 
>+    # Constant time string comparison.
>+    def secure_compare(a, b)
>+      return false unless bytesize(a) == bytesize(b)
>+
>+      l = a.unpack("C*")
>+
>+      r, i = 0, -1
>+      b.each_byte { |v| r |= v ^ l[i+=1] }
>+      r == 0
>+    end
>+    module_function :secure_compare
>+
>     # Context allows the use of a compatible middleware at different points
>     # in a request handling stack. A compatible middleware must define
>     # #context which should take the arguments env and app. The first of which

Actions: View | Diff

Attachments on bug 909071: 696259