Fixed #57 secure-compare length issue

ring-clojure · May 15, 2013 · be1eac9 · be1eac9
1 parent cf17e62
commit be1eac9
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/ring-core/src/ring/middleware/session/cookie.clj b/ring-core/src/ring/middleware/session/cookie.clj
@@ -83,10 +83,10 @@
     (str (codec/base64-encode data) "--" (hmac key data))))
 
 (defn- secure-compare [^String a ^String b]
-  (if (and a b (= (.length a) (.length b)))
-    (zero? (reduce bit-or
-                   (map bit-xor (.getBytes a) (.getBytes b))))
-    false))
+  (let [a (map int a), b (map int b)]
+    (if (and a b (= (count a) (count b)))
+      (zero? (reduce bit-or (map bit-xor a b)))
+      false)))
 
 (defn- unseal
   "Retrieve a sealed Clojure data structure from a string"