use constant-time string compare for internal api authentication
Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacks because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead.
Showing
Please register or sign in to comment