lib/signet/oauth_1/server.rb in signet-0.10.0 vs lib/signet/oauth_1/server.rb in signet-0.11.0
- old
+ new
@@ -11,11 +11,10 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'faraday'
-
require 'stringio'
require 'addressable/uri'
require 'signet'
require 'signet/errors'
require 'signet/oauth_1'
@@ -55,10 +54,17 @@
[:nonce_timestamp, :client_credential, :token_credential,
:temporary_credential, :verifier].each do |attr|
instance_variable_set("@#{attr}", options[attr])
end
end
+
+ # Constant time string comparison.
+ def safe_equals?(a, b)
+ check = a.bytesize ^ b.bytesize
+ a.bytes.zip(b.bytes) { |x, y| check |= x ^ y.to_i }
+ check == 0
+ end
##
# Determine if the supplied nonce/timestamp pair is valid by calling
# the {#nonce_timestamp} Proc.
#
@@ -283,11 +289,11 @@
# Realm isn't used, and will throw the signature off.
auth_hash.reject{|k,v| k=='realm'}.to_a,
client_credential_secret,
nil
)
- if(computed_signature == auth_hash['oauth_signature'])
+ if safe_equals?(computed_signature, auth_hash['oauth_signature'])
if(auth_hash.fetch('oauth_callback', 'oob').empty?)
'oob'
else
auth_hash.fetch('oauth_callback')
end
@@ -361,11 +367,11 @@
auth_hash.reject{|k,v| k=='realm'}.to_a,
client_credential.secret,
temporary_credential.secret
)
- if(computed_signature == auth_hash['oauth_signature'])
+ if safe_equals?(computed_signature, auth_hash['oauth_signature'])
{:client_credential=>client_credential,
:temporary_credential=>temporary_credential,
:realm=>auth_hash['realm']
}
else
@@ -488,10 +494,10 @@
auth_hash.reject{|k,v| k=='realm'}.to_a,
client_credential_secret,
token_credential_secret
)
- if(computed_signature == auth_hash['oauth_signature'])
+ if safe_equals?(computed_signature, auth_hash['oauth_signature'])
{:client_credential=>client_credential,
:token_credential=>token_credential,
:realm=>auth_hash['realm']
}
else