Dup the arguments to string compare so we can use force_encoding.

rails · Sep 12, 2009 · 76e971e · 76e971e
1 parent 095cf91
commit 76e971e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -168,8 +168,8 @@ def clear_old_cookie_value
     if "foo".respond_to?(:force_encoding)
       # constant-time comparison algorithm to prevent timing attacks
       def secure_compare(a, b)
-        a = a.force_encoding(Encoding::BINARY)
-        b = b.force_encoding(Encoding::BINARY)
+        a = a.dup.force_encoding(Encoding::BINARY)
+        b = b.dup.force_encoding(Encoding::BINARY)
 
         if a.length == b.length
           result = 0