improve a few examples to avoid timing attacks

mojolicious · Jan 25, 2016 · 6f79a68 · 6f79a68
1 parent d68a6c8
commit 6f79a68
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,6 @@
 
 6.43  2016-01-25
+  - Improved a few examples to avoid timing attacks.
 
 6.42  2016-01-24
   - Fixed use of deprecated Perl feature in Mojo::JSON.

diff --git a/lib/Mojolicious/Guides/Cookbook.pod b/lib/Mojolicious/Guides/Cookbook.pod
@@ -1226,13 +1226,14 @@ Basic authentication data will be automatically extracted from the
 C<Authorization> header.
 
   use Mojolicious::Lite;
+  use Mojo::Util 'secure_compare';
 
   get '/' => sub {
     my $c = shift;
 
     # Check for username "Bender" and password "rocks"
     return $c->render(text => 'Hello Bender!')
-      if $c->req->url->to_abs->userinfo eq 'Bender:rocks';
+      if secure_compare $c->req->url->to_abs->userinfo, 'Bender:rocks';
 
     # Require authentication
     $c->res->headers->www_authenticate('Basic');

diff --git a/lib/Mojolicious/Guides/Growing.pod b/lib/Mojolicious/Guides/Growing.pod
@@ -266,6 +266,8 @@ separation of concerns more visible.
   use strict;
   use warnings;
 
+  use Mojo::Util 'secure_compare';
+
   my $USERS = {
     joel      => 'las3rs',
     marcus    => 'lulz',
@@ -278,7 +280,7 @@ separation of concerns more visible.
     my ($self, $user, $pass) = @_;
 
     # Success
-    return 1 if $USERS->{$user} && $USERS->{$user} eq $pass;
+    return 1 if $USERS->{$user} && secure_compare $USERS->{$user}, $pass;
 
     # Fail
     return undef;

diff --git a/t/mojo/util.t b/t/mojo/util.t
@@ -388,6 +388,8 @@ ok secure_compare('♥1', '♥1'), 'values are equal';
 ok !secure_compare('♥',   '♥0'),  'values are not equal';
 ok !secure_compare('0♥',  '♥'),   'values are not equal';
 ok !secure_compare('0♥1', '1♥0'), 'values are not equal';
+ok !secure_compare('',      '♥'),   'values are not equal';
+ok !secure_compare('♥',   ''),      'values are not equal';
 
 # xor_encode
 is xor_encode('hello', 'foo'), "\x0e\x0a\x03\x0a\x00", 'right result';