Merge remote-tracking branch 'upstream/pull/4747'

[rails.git] / lib / password_hash.rb

diff --git a/lib/password_hash.rb b/lib/password_hash.rb
index de1f20d317afec7e1f2429e30af67ced716fdb2a..325955cf114f1a207bf93a9dbf8f58a11d16fed0 100644 (file)
--- a/lib/password_hash.rb
+++ b/lib/password_hash.rb
@@ -16,13 +16,13 @@ module PasswordHash
     if Argon2::HashFormat.valid_hash?(hash)
       Argon2::Password.verify_password(candidate, hash)
     elsif salt.nil?
-      hash == Digest::MD5.hexdigest(candidate)
+      ActiveSupport::SecurityUtils.secure_compare(hash, Digest::MD5.hexdigest(candidate))
     elsif salt.include?("!")
       algorithm, iterations, salt = salt.split("!")
       size = Base64.strict_decode64(hash).length
-      hash == pbkdf2(candidate, salt, iterations.to_i, size, algorithm)
+      ActiveSupport::SecurityUtils.secure_compare(hash, pbkdf2(candidate, salt, iterations.to_i, size, algorithm))
     else
-      hash == Digest::MD5.hexdigest(salt + candidate)
+      ActiveSupport::SecurityUtils.secure_compare(hash, Digest::MD5.hexdigest(salt + candidate))
     end
   end