Dup the arguments to string compare so we can use force_encoding.

Conflicts: activesupport/lib/active_support/message_verifier.rb
rails · Sep 12, 2009 · 6ddb7de · 6ddb7de
1 parent 2524ac8
commit 6ddb7de
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb
@@ -38,14 +38,17 @@ def generate(value)
     end
 
     private
-      if "foo".respond_to?(:bytesize)
+      if "foo".respond_to?(:force_encoding)
         # constant-time comparison algorithm to prevent timing attacks
-        # > 1.8.6 friendly version
         def secure_compare(a, b)
-          if a.bytesize == b.bytesize
+          a = a.dup.force_encoding(Encoding::BINARY)
+          b = b.dup.force_encoding(Encoding::BINARY)
+
+          if a.length == b.length
             result = 0
-            j = b.each_byte
+            for i in 0..(a.length - 1)
-            a.each_byte { |i| result |= i ^ j.next }
+              result |= a[i].ord ^ b[i].ord
+            end
             result == 0
           else
             false