rack-protection 1.5.4 → 1.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 71f8780cd91d2ec881c8622094bde958d462c694
-  data.tar.gz: 803060435de3c98a1b45c07b48e60a4eefda8a54
+SHA256:
+  metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
+  data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
 SHA512:
-  metadata.gz: 9b88c68b897647193d934418a72f370df60058efb59a9d96e3421efb5989e7d76379a048293c3b9abea043fb4a89cf83b5f4d6972b81233143c6d23b6dfad190
-  data.tar.gz: 92343bb6e7ffcdf6ffa35ccc3d324ca3a18d751ae10cad03c7baa6a5f8b5cacca9a4e3424a5effd1235fbc2f0783a9cef3ad218054e8d270bd1c6be6cd7e660c
+  metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
+  data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58

data/lib/rack/protection/authenticity_token.rb

@@ -23,8 +23,8 @@ module Rack
         session = session env
         token   = session[:csrf] ||= session['_csrf_token'] || random_string
         safe?(env) ||
-          env['HTTP_X_CSRF_TOKEN'] == token ||
-          Request.new(env).params[options[:authenticity_param]] == token
+          secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
+          secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -110,6 +110,30 @@ module Rack
         options[:encryptor].hexdigest value.to_s
       end
 
+      # The implementations of secure_compare and bytesize are taken from
+      # Rack::Utils to be able to support rack older than XXXX.
+      def secure_compare(a, b)
+        return false unless bytesize(a) == bytesize(b)
+
+        l = a.unpack("C*")
+
+        r, i = 0, -1
+        b.each_byte { |v| r |= v ^ l[i+=1] }
+        r == 0
+      end
+
+      # Return the bytesize of String; uses String#size under Ruby 1.8 and
+      # String#bytesize under 1.9.
+      if ''.respond_to?(:bytesize)
+        def bytesize(string)
+          string.bytesize
+        end
+      else
+        def bytesize(string)
+          string.size
+        end
+      end
+
       alias default_reaction deny
 
       def html?(headers)

data/lib/rack/protection/version.rb

@@ -4,7 +4,7 @@ module Rack
       VERSION
     end
 
-    SIGNATURE = [1, 5, 4]
+    SIGNATURE = [1, 5, 5]
     VERSION   = SIGNATURE.join('.')
 
     VERSION.extend Comparable

data/rack-protection.gemspec

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.5.4"
+  s.version     = "1.5.5"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.5.4
+  version: 1.5.5
 platform: ruby
 authors:
 - Konstantin Haase
@@ -35,7 +35,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-19 00:00:00.000000000 Z
+date: 2018-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -168,7 +168,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: You should use protection!