From 08afa160a56809ca5827c559f409bcb89d362af1 Mon Sep 17 00:00:00 2001 From: Shouichi Kamiya Date: Wed, 22 Jun 2022 15:15:02 +0900 Subject: [PATCH] Fix urlsafe MessageVerifier not to include padding urlsafe option was introduced to MessageVerifier in 09c3f36a962a7ffd350dfda643d2f980734cb5c9 but it can generate strings containing padding character ("=") which is not urlsafe. Fix not to pad when base64 encode. --- activesupport/lib/active_support/message_verifier.rb | 2 +- activesupport/test/message_verifier_test.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index a82af89a09..f062fcd9a8 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -210,7 +210,7 @@ module ActiveSupport private def encode(data) - @urlsafe ? Base64.urlsafe_encode64(data) : Base64.strict_encode64(data) + @urlsafe ? Base64.urlsafe_encode64(data, padding: false) : Base64.strict_encode64(data) end def decode(data) diff --git a/activesupport/test/message_verifier_test.rb b/activesupport/test/message_verifier_test.rb index 726f999746..0e1e071f8c 100644 --- a/activesupport/test/message_verifier_test.rb +++ b/activesupport/test/message_verifier_test.rb @@ -360,6 +360,11 @@ class MessageVerifierUrlsafeTest < MessageVerifierMetadataTest assert_equal message, URI.encode_www_form_component(message) end + def test_no_padding + message = generate("a") + assert_not_includes message, "=" + end + private def verifier_options { urlsafe: true }