lib/stripe/util.rb in stripe-2.7.0 vs lib/stripe/util.rb in stripe-2.8.0
- old
+ new
@@ -254,7 +254,19 @@
else
expected_key = first_key
end
end
end
+
+ # Constant time string comparison to prevent timing attacks
+ # Code borrowed from ActiveSupport
+ def self.secure_compare(a, b)
+ return false unless a.bytesize == b.bytesize
+
+ l = a.unpack "C#{a.bytesize}"
+
+ res = 0
+ b.each_byte { |byte| res |= byte ^ l.shift }
+ res == 0
+ end
end
end