1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| | # Rails 2.3.4 screwed up cookie sessions under 1.9
# ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144
module ActiveSupport
class MessageVerifier
private
undef_method :secure_compare
warn "overriding secure_compare to be Ruby 1.9-friendly"
# constant-time comparison algorithm to prevent timing attacks
def secure_compare(a, b)
if a.bytesize == b.bytesize
result = 0
j = b.each_byte
a.each_byte { |i| result |= i ^ j.next }
result == 0
else
false
end
end
end
end if Rails::VERSION::STRING == "2.3.4" && "."[0] == "."
|