From a8a336cbfc55f91dc8befaad2425ff42085a1a4f Mon Sep 17 00:00:00 2001 From: Yehuda Katz Date: Sat, 12 Sep 2009 14:35:03 -0500 Subject: [PATCH] Revert "ruby 1.9 friendly secure_compare" because it breaks CI and Sam Ruby's suite This reverts commit 5de75398c495f109772b622291362a98bc6c21d1. --- .../lib/active_support/message_verifier.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index 5596784eff..8d14423d91 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -38,21 +38,24 @@ module ActiveSupport end private - if "foo".respond_to?(:bytesize) + if "foo".respond_to?(:force_encoding) # constant-time comparison algorithm to prevent timing attacks - # > 1.8.6 friendly version def secure_compare(a, b) - if a.bytesize == b.bytesize + a = a.force_encoding(Encoding::BINARY) + b = b.force_encoding(Encoding::BINARY) + + if a.length == b.length result = 0 - j = b.each_byte - a.each_byte { |i| result |= i ^ j.next } + for i in 0..(a.length - 1) + result |= a[i].ord ^ b[i].ord + end result == 0 else false end end else - # For <= 1.8.6 + # For 1.8 def secure_compare(a, b) if a.length == b.length result = 0