From f76ca450f5027a4fa578d939b35fe4f608f2423e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Sat, 25 Nov 2017 11:33:11 -0500
Subject: [PATCH] Compare the actual string after comparing the HMAC proccessed
 strings

Even that collisions are unlikely we need to make sure the two strings
are equal.

Timing is not important in this case because this only runs after the
comparison between the SHA256 digested strings returns true.
---
 activesupport/lib/active_support/security_utils.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb
index 4d129bfe41..20b6b9cd3f 100644
--- a/activesupport/lib/active_support/security_utils.rb
+++ b/activesupport/lib/active_support/security_utils.rb
@@ -24,7 +24,7 @@ module ActiveSupport
     # The values are first processed by SHA256, so that we don't leak length info
     # via timing attacks.
     def secure_compare(a, b)
-      fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
+      fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) && a == b
     end
     module_function :secure_compare
   end