Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Dup the arguments to string compare so we can use force_encoding.

  • Loading branch information...
commit e590508a9b7ab5cf99d7a7675a92a1257cb9f6f8 1 parent 81cba78
Michael Koziarski NZKoz authored
Showing with 2 additions and 2 deletions.
  1. +2 −2 activesupport/lib/active_support/message_verifier.rb
4 activesupport/lib/active_support/message_verifier.rb
View
@@ -41,8 +41,8 @@ def generate(value)
if "foo".respond_to?(:force_encoding)
# constant-time comparison algorithm to prevent timing attacks
def secure_compare(a, b)
- a = a.force_encoding(Encoding::BINARY)
- b = b.force_encoding(Encoding::BINARY)
+ a = a.dup.force_encoding(Encoding::BINARY)
+ b = b.dup.force_encoding(Encoding::BINARY)
if a.length == b.length
result = 0

3 comments on commit e590508

Kuba Kuźma

Is it a joke?

Kuba Kuźma

If you want to solve every encoding problem in this way, consider using my "force_encoding" gem http://github.com/qoobaa/force_encoding - you can think about merging the gem into ActiveSupport as well ;-).

Peace guys.

Michael Koziarski
Owner

No, the CI server broke with your original patch despite it working here for me on the same version.

Given how ... inconsequential this method is, it's easier to go with the simple fix which works and just park the whole discussion :)

Please sign in to comment.
Something went wrong with that request. Please try again.