🚑️ [SECURITY] Fix unsafe string comparison

- Closes #156 Signed-off-by: Peter Boling <peter.boling@gmail.com>
oauth-xx · Oct 31, 2021 · 9839886 · 9839886
1 parent 3925b6f
commit 9839886
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/lib/oauth/signature/base.rb b/lib/oauth/signature/base.rb
@@ -51,7 +51,9 @@ def signature
     end
 
     def ==(cmp_signature)
-      signature == cmp_signature
+      check = signature.bytesize ^ cmp_signature.bytesize
+      signature.bytes.zip(cmp_signature.bytes) { |x, y| check |= x ^ y.to_i }
+      check.zero?
     end
 
     def verify