@bascule what possible use case is there for letting them proceed with a forged message? Take it further, verify should return the msg
-
-
-
@nzkoz that's... what it does. Read the code? ;) -
@bascule tl;dr ;) is the verify! method not public? fwiw we got a CVE for a non-public method in MessageEncryptor enabling padding oracle -
@nzkoz well, it's not there yet, and arguably of dubious value. Chime in on the PR. It's not possible to have padding oracles with NaCl -
@bascule sure my point was more if you have a method which is public but not meant for users, some moron will use it and get pwned -
@nzkoz the intent of the PR is for it to be public. Whether or not it should exist at all is up for debate
End of conversation
New conversation -
-
-
@bascule I thought ! just meant you were mutating the object (e.g. String#gsub!, Array#map!). I'd make all of them raise. -
@tenderlove that's how it worked before this change. This change just exposes an API that doesn't raise.
End of conversation
New conversation -
-
-
@bascule agreed wholeheartedly.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.