Permalink
Browse files

Dup the arguments to string compare so we can use force_encoding.

Conflicts:

	activesupport/lib/active_support/message_verifier.rb
  • Loading branch information...
1 parent 2524ac8 commit 6ddb7de407a1330bff9383e9587c9a01fc69d7ee @NZKoz NZKoz committed Sep 12, 2009
Showing with 8 additions and 5 deletions.
  1. +8 −5 activesupport/lib/active_support/message_verifier.rb
@@ -38,14 +38,17 @@ def generate(value)
end
private
- if "foo".respond_to?(:bytesize)
+ if "foo".respond_to?(:force_encoding)
# constant-time comparison algorithm to prevent timing attacks
- # > 1.8.6 friendly version
def secure_compare(a, b)
- if a.bytesize == b.bytesize
+ a = a.dup.force_encoding(Encoding::BINARY)
+ b = b.dup.force_encoding(Encoding::BINARY)
+
+ if a.length == b.length
result = 0
- j = b.each_byte
- a.each_byte { |i| result |= i ^ j.next }
+ for i in 0..(a.length - 1)
+ result |= a[i].ord ^ b[i].ord
+ end
result == 0
else
false

0 comments on commit 6ddb7de

Please sign in to comment.