RubyGems - bcrypt - Versions diffs - 3.1.20-java → 3.1.21-java - Mend

bcrypt 3.1.20-java → 3.1.21-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 18e51a94af441c07a71cba0f9d5c8e813ed65b0206e6d143784215d43404be78
-  data.tar.gz: 0f593432119c2166fb96c65786b3bf119d42ecc35d7de1322b7700c81679e3b5
+  metadata.gz: 5a53cbea41295650164328d69013dd030f184e4405221806291465a05ab0e250
+  data.tar.gz: 94e5c47352fef85517b35effc11b2f41a69849af60bda5338a62e15e0b49a68d
 SHA512:
-  metadata.gz: 92e7ac49940ed3c1ac8929da228dc90e48ef9ec12819fe9a83102211f7695c47ad9dd6e7aeb333b6499308556995405c9b7a7fd1b70eb0b12231d070f111f2d3
-  data.tar.gz: bdbfa55d1c5e8c111b31f3c2bd0d90f4408799af5afcca5d53f2c47604033f991238948905f95f91f16a2f08d315283ceda37ea770cbe612d98170771da24394
+  metadata.gz: b43eec31e06923a755e3b133db2c556694b9f084520c600ceffc18f9d406ed250c809d544af5ea396f18a9c3c97d2a6183850cdce19d324bbed8e572cb1b7273
+  data.tar.gz: f3ea42a4fd1de528f4d465ff66db582ac20bfbf2841d71c49de2e379bed89bd919e4c70d0298db04638c58f024be48b978dc33c74a5b8c1fe6398eccd0bd4f85

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,7 @@
+3.1.21 Dec 31 2025
+  - Use constant time comparisons
+  - Mark as Ractor safe
 3.1.20 Nov 17 2023
   - Limit packaged files -- decrease gem filesize by ~28% [GH #272 by @pusewicz]

data/README.md CHANGED Viewed

@@ -30,8 +30,8 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
 The bcrypt gem is available on the following Ruby platforms:
 * JRuby
-* RubyInstaller 2.0 – 3.0 builds on Windows with the DevKit
-* Any 2.0 – 3.0 Ruby on a BSD/OS X/Linux system with a compiler
+* RubyInstaller builds on Windows with the DevKit
+* Any modern Ruby on a BSD/OS X/Linux system with a compiler
 ## How to use `bcrypt()` in your Rails application

data/ext/mri/bcrypt_ext.c CHANGED Viewed

@@ -111,6 +111,10 @@ static VALUE bc_crypt(VALUE self, VALUE key, VALUE setting) {
 /* Create the BCrypt and BCrypt::Engine modules, and populate them with methods. */
 void Init_bcrypt_ext(){
+#ifdef HAVE_RB_EXT_RACTOR_SAFE
+    rb_ext_ractor_safe(true);
+#endif
     mBCrypt = rb_define_module("BCrypt");
     cBCryptEngine = rb_define_class_under(mBCrypt, "Engine", rb_cObject);

data/lib/bcrypt/password.rb CHANGED Viewed

@@ -73,8 +73,17 @@ module BCrypt
     #    @password == @password.to_s      # => False
     #    @password.to_s == @password      # => True
     #    @password.to_s == @password.to_s # => True
+    #
+    #    secret == @password              # => probably False, because the secret is not a BCrypt::Password instance.
     def ==(secret)
-      super(BCrypt::Engine.hash_secret(secret, @salt))
+      hash = BCrypt::Engine.hash_secret(secret, @salt)
+      return false if hash.strip.empty? || strip.empty? || hash.bytesize != bytesize
+      # Constant time comparison so they can't tell the length.
+      res = 0
+      bytesize.times { |i| res |= getbyte(i) ^ hash.getbyte(i) }
+      res == 0
     end
     alias_method :is_password?, :==

data/lib/bcrypt_ext.jar CHANGED Viewed

Binary file

metadata CHANGED Viewed

@@ -1,22 +1,22 @@
 --- !ruby/object:Gem::Specification
 name: bcrypt
 version: !ruby/object:Gem::Version
-  version: 3.1.20
+  version: 3.1.21
 platform: java
 authors:
 - Coda Hale
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-17 00:00:00.000000000 Z
+date: 2025-12-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  name: rake-compiler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.2.0
-  name: rake-compiler
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -25,12 +25,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.2.0
 - !ruby/object:Gem::Dependency
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3'
-  name: rspec
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -38,6 +38,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.3
+- !ruby/object:Gem::Dependency
+  name: benchmark
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.0
 description: |2
       bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
       for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
@@ -77,7 +105,8 @@ files:
 homepage: https://github.com/bcrypt-ruby/bcrypt-ruby
 licenses:
 - MIT
-metadata: {}
+metadata:
+  changelog_uri: https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG
 post_install_message:
 rdoc_options:
 - "--title"