From cb90269157aeda3655b1a12ea7be4666c98a5e2c Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Wed, 11 Nov 2009 19:27:54 -0800 Subject: [PATCH] examples/rails_app-2.3.4: fix session verifier 1.9 Rails 2.3.4 screwed up cookie sessions under Ruby 1.9 ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144 --- .../config/initializers/ruby_19_compat.rb | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb diff --git a/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb b/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb new file mode 100644 index 0000000..82987f4 --- /dev/null +++ b/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb @@ -0,0 +1,40 @@ +# Rails 2.3.4 screwed up cookie sessions under 1.9 +# ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144 + +module ActiveSupport + + class MessageVerifier + + private + + undef_method :secure_compare + warn "overriding secure_compare to be Ruby 1.9-friendly" + + # constant-time comparison algorithm to prevent timing attacks + def secure_compare(a, b) + if a.respond_to?(:bytesize) + # > 1.8.6 friendly version + if a.bytesize == b.bytesize + result = 0 + j = b.each_byte + a.each_byte { |i| result |= i ^ j.next } + result == 0 + else + false + end + else + # <= 1.8.6 friendly version + if a.size == b.size + result = 0 + for i in 0..(a.length - 1) + result |= a[i] ^ b[i] + end + result == 0 + else + false + end + end + end + + end +end if Rails::VERSION::STRING == "2.3.4" && String.method_defined?(:bytesize) -- 2.11.4.GIT