diff --git a/README.ja.md b/README.ja.md index e78c88c..6312499 100644 --- a/README.ja.md +++ b/README.ja.md @@ -35,12 +35,6 @@ Play2.2.1 で動作確認をしています。 柔軟に他の操作を組み合わせて使用することができます。 -以前のバージョン ---------------------------------------- - -Play2.1.x 向けの使用方法は [0.10.1 README](https://github.com/t2v/play2-auth/blob/release0.10.1/README.ja.md)をご参照ください。 -Play2.0.x 向けの使用方法は [0.7 README](https://github.com/t2v/play2-auth/blob/release0.7/README.ja.md)をご参照ください。 - Play2.1以前をお使いの方へ --------------------------------------- @@ -53,15 +47,15 @@ Play2.1以前をお使いの方へ `Build.scala` もしくは `build.sbt` にライブラリ依存性定義を追加します。 - "jp.t2v" %% "play2-auth" % "0.11.0", - "jp.t2v" %% "play2-auth-test" % "0.11.0" % "test" + "jp.t2v" %% "play2-auth" % "0.11.1", + "jp.t2v" %% "play2-auth-test" % "0.11.1" % "test" For example: `Build.scala` ```scala val appDependencies = Seq( - "jp.t2v" %% "play2-auth" % "0.11.0-SNAPSHT", - "jp.t2v" %% "play2-auth-test" % "0.11.0-SNAPSHT" % "test" + "jp.t2v" %% "play2-auth" % "0.11.1", + "jp.t2v" %% "play2-auth-test" % "0.11.1" % "test" ) ``` diff --git a/README.md b/README.md index f7c1386..93e0ac9 100644 --- a/README.md +++ b/README.md @@ -34,14 +34,6 @@ Play2x-Auth provides an interface that returns an [`Either[PlainResult, User]`]( making writing complicated action methods easier. [`Either`](http://www.scala-lang.org/api/current/scala/util/Either.html) is a wrapper similar to `Option` -Previous Version ---------------------------------------- - -for Play2.1.x, Please see [previous version 0.10.1 README](https://github.com/t2v/play2-auth/tree/release0.10.1) - -for Play2.0.x, Please see [previous version 0.7 README](https://github.com/t2v/play2-auth/tree/release0.7) - - Attention --------------------------------------- @@ -55,15 +47,15 @@ Add dependency declarations into your `Build.scala` or `build.sbt` file: * __for Play2.2.x__ - "jp.t2v" %% "play2-auth" % "0.11.0", - "jp.t2v" %% "play2-auth-test" % "0.11.0" % "test" + "jp.t2v" %% "play2-auth" % "0.11.1", + "jp.t2v" %% "play2-auth-test" % "0.11.1" % "test" For example your `Build.scala` might look like this: ```scala val appDependencies = Seq( - "jp.t2v" %% "play2-auth" % "0.11.0", - "jp.t2v" %% "play2-auth.test" % "0.11.0" % "test" + "jp.t2v" %% "play2-auth" % "0.11.1", + "jp.t2v" %% "play2-auth.test" % "0.11.1" % "test" ) ``` diff --git a/module/src/main/scala/jp/t2v/lab/play2/auth/CookieUtil.scala b/module/src/main/scala/jp/t2v/lab/play2/auth/CookieUtil.scala index 1d03ec2..4086bbb 100644 --- a/module/src/main/scala/jp/t2v/lab/play2/auth/CookieUtil.scala +++ b/module/src/main/scala/jp/t2v/lab/play2/auth/CookieUtil.scala @@ -8,7 +8,22 @@ trait CookieUtil { def verifyHmac(cookie: Cookie): Option[String] = { val (hmac, value) = cookie.value.splitAt(40) - if (Crypto.sign(value) == hmac) Some(value) else None + if (safeEquals(Crypto.sign(value), hmac)) Some(value) else None + } + + // Do not change this unless you understand the security issues behind timing attacks. + // This method intentionally runs in constant time if the two strings have the same length. + // If it didn't, it would be vulnerable to a timing attack. + protected def safeEquals(a: String, b: String) = { + if (a.length != b.length) { + false + } else { + var equal = 0 + for (i <- Array.range(0, a.length)) { + equal |= a(i) ^ b(i) + } + equal == 0 + } } } diff --git a/project/Build.scala b/project/Build.scala index ae9ac1f..8c0e4e3 100644 --- a/project/Build.scala +++ b/project/Build.scala @@ -9,7 +9,7 @@ object ApplicationBuild extends Build { val playVersion = "2.2.0" lazy val baseSettings = Seq( - version := "0.11.0", + version := "0.11.1", scalaVersion := "2.10.3", scalaBinaryVersion := "2.10", organization := "jp.t2v",