examples/rails_app-2.3.4: fix session verifier 1.9

Rails 2.3.4 screwed up cookie sessions under Ruby 1.9
ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144

1 files changed, 40 insertions, 0 deletions

diff --git a/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb b/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb
new file mode 100644
index 0000000..82987f4
--- /dev/null
+++ b/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb
@@ -0,0 +1,40 @@
+# Rails 2.3.4 screwed up cookie sessions under 1.9
+# ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144
+
+module ActiveSupport
+
+  class MessageVerifier
+
+    private
+
+      undef_method :secure_compare
+      warn "overriding secure_compare to be Ruby 1.9-friendly"
+
+      # constant-time comparison algorithm to prevent timing attacks
+      def secure_compare(a, b)
+        if a.respond_to?(:bytesize)
+          # > 1.8.6 friendly version
+          if a.bytesize == b.bytesize
+            result = 0
+            j = b.each_byte
+            a.each_byte { |i| result |= i ^ j.next }
+            result == 0
+          else
+            false
+          end
+        else
+          # <= 1.8.6 friendly version
+          if a.size == b.size
+            result = 0
+            for i in 0..(a.length - 1)
+              result |= a[i] ^ b[i]
+            end
+            result == 0
+          else
+            false
+          end
+        end
+      end
+
+  end
+end if Rails::VERSION::STRING == "2.3.4" && String.method_defined?(:bytesize)