From 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 Mon Sep 17 00:00:00 2001
From: James Tucker <jftucker@gmail.com>
Date: Thu, 7 Feb 2013 14:47:10 -0800
Subject: [PATCH] Use secure_compare for hmac comparison

 * Closes CVE-2013-0263
---
 lib/rack/session/cookie.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index 75986758d..be537a9c6 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -159,7 +159,7 @@ def destroy_session(env, session_id, options)
       def digest_match?(data, digest)
         return unless data && digest
         @secrets.any? do |secret|
-          digest == generate_hmac(data, secret)
+          Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
         end
       end