RubyGems - signature - Versions diffs - 0.1.7 → 0.1.8 - Mend

signature 0.1.7 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 45dfb9bf73deb5b9c3961cad306a604054c86f8e
-  data.tar.gz: f04bbaf672ca9f8e283639f42c909d0646e435fd
+  metadata.gz: 39b2250d70f97d089486041724cc1c550d5472ef
+  data.tar.gz: 9bd71807a08401cb9309bceaa56b8b951f173f9b
 SHA512:
-  metadata.gz: a04b5b87253ae99c85bc67867f3114f5f6477a0089ea7ac0790da6f20b12f303c85a97c5c5211b82e01482820f96c021654d09b87f879793349b6bc700f49a1f
-  data.tar.gz: 1f657808c67898b40c9dcb476a23bab3787c3f237db4e888968c577064a7fe544ec140c89cd3f70daad94fd9b9a3e9c060a3d43502a490bdfbc7cbfc4647545e
+  metadata.gz: 3f5b1b5b66df41a44ca5b2b42c47f1f060140f30fa38a614cd276b9d6a8e7170c3700ebd06a8e2b98ac0ac1047249e2e3d4b180e3587b42be191e9afd000ade4
+  data.tar.gz: 2066ce0c53e2778299f33d2a713f3fc5aa9770ff271d9b073f759e6f2f12aae5c1302ba9d3d94bd1be2e4907b56d14f29e9cb56284e2019e83a75ae6ad99c9fc

data/.gitignore CHANGED

@@ -19,3 +19,5 @@ rdoc
 pkg
 ## PROJECT::SPECIFIC
+.rbx
+.rspec

data/.travis.yml CHANGED

@@ -3,12 +3,15 @@ rvm:
   - 1.8.7
   - 1.9.2
   - 1.9.3
-  - jruby-18mode # JRuby in 1.8 mode
-  - jruby-19mode # JRuby in 1.9 mode
+  - 2.0.0
+  - jruby-18mode
+  - jruby-19mode
   - rbx-18mode
   - rbx-19mode
 matrix:
   allow_failures:
+    - rvm: jruby-18mode
+    - rvm: jruby-19mode
     - rvm: rbx-18mode
     - rvm: rbx-19mode

data/CHANGELOG.md ADDED

@@ -0,0 +1,5 @@
+0.1.8 / 2015-01-16
+==================
+  * SECURITY: Perform constant time string comparison when validating signatures

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    signature (0.1.7)
+    signature (0.1.8)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED

@@ -16,7 +16,7 @@ auth_hash    = request.sign(token)
 query_params = params.merge(auth_hash)
 HTTParty.post('http://myservice/api/thing', {
-  :query => query_params
+  :body => query_params
 })
 ```

data/lib/signature.rb CHANGED

@@ -213,12 +213,18 @@ module Signature
       end
       def validate_signature!(token)
-        unless @auth_hash["auth_signature"] == signature(token)
+        unless identical? @auth_hash["auth_signature"], signature(token)
           raise AuthenticationError, "Invalid signature: you should have "\
             "sent HmacSHA256Hex(#{string_to_sign.inspect}, your_secret_key)"\
             ", but you sent #{@auth_hash["auth_signature"].inspect}"
         end
         return true
       end
+      # Constant time string comparison
+      def identical?(a, b)
+        return false unless a.bytesize == b.bytesize
+        a.bytes.zip(b.bytes).reduce(0) { |memo, (a, b)| memo += a ^ b } == 0
+      end
   end
 end

data/lib/signature/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Signature
-  VERSION = "0.1.7"
+  VERSION = "0.1.8"
 end

metadata CHANGED

@@ -1,41 +1,41 @@
 --- !ruby/object:Gem::Specification
 name: signature
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.8
 platform: ruby
 authors:
 - Martyn Loughran
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-04-22 00:00:00.000000000 Z
+date: 2015-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: em-spec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Simple key/secret based authentication for apis
@@ -45,8 +45,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .travis.yml
+- ".gitignore"
+- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -67,17 +68,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.0
+rubygems_version: 2.2.2
 signing_key:
 specification_version: 4
 summary: Simple key/secret based authentication for apis