|
|
|
|
|
|
by shajith
5812 days ago
|
|
|
The original post to the mailing list mentions the ruby open-id library (along with Java and Python libraries) as being vulnerable. Checking out the code, it looks like the string comparison at the end of the check_message_signature method will leak timing info (uses rb_str_cmp internally?). Link:
http://github.com/openid/ruby-openid/blob/master/lib/openid/... Edit: Was wrong about what could leak. |
|
|