distack-urlsign 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/distack/urlsign/signer.rb +23 -1
- data/lib/distack/urlsign/version.rb +1 -1
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: dc58ae17f2443ff15708829cfb9c6f9ca3c14533
|
|
4
|
+
data.tar.gz: 6f26d565eaab0e7c9219e26ad40f75d4fc06522b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0de42d39cda52754c89f97690da64b7754f168b4e1f9e5eda878ef4e60b9af2f5ae5e9c2c885f6eb1f28951beb61cbc35daff9e30dba624408e3e2646c527e5c
|
|
7
|
+
data.tar.gz: 52b92b7cf65281d71d27dda60416f31405edc73f479cf8f1146109010a003079d0f045c3d03cc5b91f6dcfaf623440f024086b0a7feff8892d21522629776a0e
|
|
@@ -54,7 +54,7 @@ module Distack::URLSign
|
|
|
54
54
|
rawsig = OpenSSL::HMAC.digest(digest, @key, chunks.join)
|
|
55
55
|
signature = Base64.urlsafe_encode64(rawsig)
|
|
56
56
|
|
|
57
|
-
if signature
|
|
57
|
+
if secure_compare(signature, q["_signature"])
|
|
58
58
|
new_url = url.dup
|
|
59
59
|
new_url.query = original_qs
|
|
60
60
|
new_url
|
|
@@ -62,5 +62,27 @@ module Distack::URLSign
|
|
|
62
62
|
raise InvalidSignatureError, "signature is invalid for #{url}"
|
|
63
63
|
end
|
|
64
64
|
end
|
|
65
|
+
|
|
66
|
+
private
|
|
67
|
+
|
|
68
|
+
# Constant time string comparison.
|
|
69
|
+
#
|
|
70
|
+
# The values compared should be of fixed length, such as strings
|
|
71
|
+
# that have already been processed by HMAC. This should not be used
|
|
72
|
+
# on variable length plaintext strings because it could leak length info
|
|
73
|
+
# via timing attacks.
|
|
74
|
+
#
|
|
75
|
+
# Copied from ActiveSupport
|
|
76
|
+
#
|
|
77
|
+
# https://github.com/rails/rails/blob/036bbda9eb3b3885223d53646777733a1547d89a/activesupport/lib/active_support/security_utils.rb#L11-L19
|
|
78
|
+
def secure_compare(a, b)
|
|
79
|
+
return false unless a.bytesize == b.bytesize
|
|
80
|
+
|
|
81
|
+
l = a.unpack "C#{a.bytesize}"
|
|
82
|
+
|
|
83
|
+
res = 0
|
|
84
|
+
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
85
|
+
res == 0
|
|
86
|
+
end
|
|
65
87
|
end
|
|
66
88
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: distack-urlsign
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rodrigo Kochenburger
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-04-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -107,9 +107,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
107
107
|
version: '0'
|
|
108
108
|
requirements: []
|
|
109
109
|
rubyforge_project:
|
|
110
|
-
rubygems_version: 2.4.5
|
|
110
|
+
rubygems_version: 2.4.5
|
|
111
111
|
signing_key:
|
|
112
112
|
specification_version: 4
|
|
113
113
|
summary: urlsign is a simple HMAC-based implementation for URL signing and verification
|
|
114
114
|
test_files: []
|
|
115
|
-
has_rdoc:
|