X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/e342314d8b513dd1b7693a40885fd61d439a3557..d80fac7ad90bfd20d1ad66fba034c2a93e5713d2:/lib/password_hash.rb?ds=inline diff --git a/lib/password_hash.rb b/lib/password_hash.rb index de1f20d31..325955cf1 100644 --- a/lib/password_hash.rb +++ b/lib/password_hash.rb @@ -16,13 +16,13 @@ module PasswordHash if Argon2::HashFormat.valid_hash?(hash) Argon2::Password.verify_password(candidate, hash) elsif salt.nil? - hash == Digest::MD5.hexdigest(candidate) + ActiveSupport::SecurityUtils.secure_compare(hash, Digest::MD5.hexdigest(candidate)) elsif salt.include?("!") algorithm, iterations, salt = salt.split("!") size = Base64.strict_decode64(hash).length - hash == pbkdf2(candidate, salt, iterations.to_i, size, algorithm) + ActiveSupport::SecurityUtils.secure_compare(hash, pbkdf2(candidate, salt, iterations.to_i, size, algorithm)) else - hash == Digest::MD5.hexdigest(salt + candidate) + ActiveSupport::SecurityUtils.secure_compare(hash, Digest::MD5.hexdigest(salt + candidate)) end end