distack-urlsign 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bde30f8bddc0975bcd335a8168978b2cb955b0d2
4
- data.tar.gz: 6d4c08ccf86e571e7256b220d2dffd37179bc77c
3
+ metadata.gz: dc58ae17f2443ff15708829cfb9c6f9ca3c14533
4
+ data.tar.gz: 6f26d565eaab0e7c9219e26ad40f75d4fc06522b
5
5
  SHA512:
6
- metadata.gz: c03f0fdefa293cc1754dc8bc122882e0f09d1009fb505d884fdb070de00602bb3250848390d9d557d774842aa67456192e53c3b9d71937778dd49570a07e7129
7
- data.tar.gz: f0b417d94280566133290179ecfc7945edb9f8a0c7054e439f1998bc9302a3a76086ae66703c15873cc35b6caeb8e9f84c08f4c0b2a8211b42a6f92c77008248
6
+ metadata.gz: 0de42d39cda52754c89f97690da64b7754f168b4e1f9e5eda878ef4e60b9af2f5ae5e9c2c885f6eb1f28951beb61cbc35daff9e30dba624408e3e2646c527e5c
7
+ data.tar.gz: 52b92b7cf65281d71d27dda60416f31405edc73f479cf8f1146109010a003079d0f045c3d03cc5b91f6dcfaf623440f024086b0a7feff8892d21522629776a0e
@@ -54,7 +54,7 @@ module Distack::URLSign
54
54
  rawsig = OpenSSL::HMAC.digest(digest, @key, chunks.join)
55
55
  signature = Base64.urlsafe_encode64(rawsig)
56
56
 
57
- if signature == q["_signature"]
57
+ if secure_compare(signature, q["_signature"])
58
58
  new_url = url.dup
59
59
  new_url.query = original_qs
60
60
  new_url
@@ -62,5 +62,27 @@ module Distack::URLSign
62
62
  raise InvalidSignatureError, "signature is invalid for #{url}"
63
63
  end
64
64
  end
65
+
66
+ private
67
+
68
+ # Constant time string comparison.
69
+ #
70
+ # The values compared should be of fixed length, such as strings
71
+ # that have already been processed by HMAC. This should not be used
72
+ # on variable length plaintext strings because it could leak length info
73
+ # via timing attacks.
74
+ #
75
+ # Copied from ActiveSupport
76
+ #
77
+ # https://github.com/rails/rails/blob/036bbda9eb3b3885223d53646777733a1547d89a/activesupport/lib/active_support/security_utils.rb#L11-L19
78
+ def secure_compare(a, b)
79
+ return false unless a.bytesize == b.bytesize
80
+
81
+ l = a.unpack "C#{a.bytesize}"
82
+
83
+ res = 0
84
+ b.each_byte { |byte| res |= byte ^ l.shift }
85
+ res == 0
86
+ end
65
87
  end
66
88
  end
@@ -1,5 +1,5 @@
1
1
  module Distack
2
2
  module URLSign
3
- VERSION = "0.2.0"
3
+ VERSION = "0.3.0"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: distack-urlsign
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Kochenburger
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-02-19 00:00:00.000000000 Z
11
+ date: 2016-04-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -107,9 +107,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
107
107
  version: '0'
108
108
  requirements: []
109
109
  rubyforge_project:
110
- rubygems_version: 2.4.5.1
110
+ rubygems_version: 2.4.5
111
111
  signing_key:
112
112
  specification_version: 4
113
113
  summary: urlsign is a simple HMAC-based implementation for URL signing and verification
114
114
  test_files: []
115
- has_rdoc: