X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/aad81eb74c9e6d70971f938da542271b8a70b638..7d4cc85a312cb79fd1c4b0f22626722bea1d736d:/lib/password_hash.rb diff --git a/lib/password_hash.rb b/lib/password_hash.rb index de1f20d31..325955cf1 100644 --- a/lib/password_hash.rb +++ b/lib/password_hash.rb @@ -16,13 +16,13 @@ module PasswordHash if Argon2::HashFormat.valid_hash?(hash) Argon2::Password.verify_password(candidate, hash) elsif salt.nil? - hash == Digest::MD5.hexdigest(candidate) + ActiveSupport::SecurityUtils.secure_compare(hash, Digest::MD5.hexdigest(candidate)) elsif salt.include?("!") algorithm, iterations, salt = salt.split("!") size = Base64.strict_decode64(hash).length - hash == pbkdf2(candidate, salt, iterations.to_i, size, algorithm) + ActiveSupport::SecurityUtils.secure_compare(hash, pbkdf2(candidate, salt, iterations.to_i, size, algorithm)) else - hash == Digest::MD5.hexdigest(salt + candidate) + ActiveSupport::SecurityUtils.secure_compare(hash, Digest::MD5.hexdigest(salt + candidate)) end end