lib/rack/auth/digest/md5.rb in rack-1.5.5 vs lib/rack/auth/digest/md5.rb in rack-1.6.0.beta

@@ -94,10 +94,10 @@
           auth.nonce.valid?
         end
 
         def valid_digest?(auth)
           pw = @authenticator.call(auth.username)
-          pw && digest(auth, pw) == auth.response
+          pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
         end
 
         def md5(data)
           ::Digest::MD5.hexdigest(data)
         end