ahoy_email 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7d245ad6df5fbb64f6b38292b8b139a1382dda4e
-  data.tar.gz: cd822e8f05cf9eb01a1c37979b67428c2c7fd999
+  metadata.gz: d979a2e35ab4b2d194f8e94b2ade4baf162ce2bf
+  data.tar.gz: 1345860269b934c01a1eba0eb309f15421db2450
 SHA512:
-  metadata.gz: 7c598c2697d2ca2167e2ccb6e5fdedb20a27f831f71b0f7ed0a4907d9b4646e24f6cd02cdbb7be54328dfec81cf9b353d57a3c80bd08cbf21a510b58e3da4463
-  data.tar.gz: a0649a7c6a0c575dc87a8aac7d36e1a53aab6d475c198a04131597001797442d1f3cdcedd442ec3f5f2ba4f64b3a2e4d9ab8d26af1d43d9984d7b060ea181d10
+  metadata.gz: 1a44602d1e85ac40b63b571f4b73b2b5630bb0cee93001f5fdef8c5e4bd5139d9882a102a0c774f799b33b7d2798d89fb684c8fb78dd5e90225b27c7c5994b8d
+  data.tar.gz: 73b8a764a5e953f977f9af13e04be7cdea32eecc5c952806615d1ce95ebc7c2f6583a822f598670b448261c46c4b424edba7249a564804862d897ac7f95212dc

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 0.1.1
+
+- Use secure compare for signature verification
+- Fixed deprecation warnings
+
 ## 0.1.0
 
 - First major release

data/README.md

@@ -10,6 +10,8 @@ You get:
 
 Works with any email service.
 
+:fire: To track visits and events, check out [Ahoy](https://github.com/ankane/ahoy) and [Ahoy Events](https://github.com/ankane/ahoy_events).
+
 ## Installation
 
 Add this line to your application’s Gemfile:

data/ahoy_email.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "actionmailer"
+  spec.add_dependency "rails"
   spec.add_dependency "addressable"
   spec.add_dependency "nokogiri"
 

data/app/controllers/ahoy/messages_controller.rb

@@ -16,8 +16,8 @@ module Ahoy
         @message.save!
       end
       url = params[:url]
-      signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new("sha1"), AhoyEmail.secret_token, url)
-      if params[:signature] == signature
+      signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), AhoyEmail.secret_token, url)
+      if secure_compare(params[:signature], signature)
         redirect_to url
       else
         redirect_to main_app.root_url
@@ -30,5 +30,17 @@ module Ahoy
       @message = AhoyEmail.message_model.where(token: params[:id]).first
     end
 
+    # from https://github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
   end
 end

data/lib/ahoy_email/processor.rb

@@ -89,7 +89,7 @@ module AhoyEmail
           end
 
           if options[:click] and !skip_attribute?(link, "click")
-            signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new("sha1"), AhoyEmail.secret_token, link["href"])
+            signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), AhoyEmail.secret_token, link["href"])
             url =
               AhoyEmail::Engine.routes.url_helpers.url_for(
                 Rails.application.config.action_mailer.default_url_options.merge(

data/lib/ahoy_email/version.rb

@@ -1,3 +1,3 @@
 module AhoyEmail
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ahoy_email
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Andrew Kane
@@ -11,7 +11,7 @@ cert_chain: []
 date: 2014-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: actionmailer
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="