From cb90269157aeda3655b1a12ea7be4666c98a5e2c Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Wed, 11 Nov 2009 19:27:54 -0800
Subject: examples/rails_app-2.3.4: fix session verifier 1.9

Rails 2.3.4 screwed up cookie sessions under Ruby 1.9
ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144
---
 .../config/initializers/ruby_19_compat.rb          | 40 ++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb

(limited to 'examples/rails_app-2.3.4')

diff --git a/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb b/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb
new file mode 100644
index 0000000..82987f4
--- /dev/null
+++ b/examples/rails_app-2.3.4/config/initializers/ruby_19_compat.rb
@@ -0,0 +1,40 @@
+# Rails 2.3.4 screwed up cookie sessions under 1.9
+# ref: https://rails.lighthouseapp.com/projects/8994/tickets/3144
+
+module ActiveSupport
+
+  class MessageVerifier
+
+    private
+
+      undef_method :secure_compare
+      warn "overriding secure_compare to be Ruby 1.9-friendly"
+
+      # constant-time comparison algorithm to prevent timing attacks
+      def secure_compare(a, b)
+        if a.respond_to?(:bytesize)
+          # > 1.8.6 friendly version
+          if a.bytesize == b.bytesize
+            result = 0
+            j = b.each_byte
+            a.each_byte { |i| result |= i ^ j.next }
+            result == 0
+          else
+            false
+          end
+        else
+          # <= 1.8.6 friendly version
+          if a.size == b.size
+            result = 0
+            for i in 0..(a.length - 1)
+              result |= a[i] ^ b[i]
+            end
+            result == 0
+          else
+            false
+          end
+        end
+      end
+
+  end
+end if Rails::VERSION::STRING == "2.3.4" && String.method_defined?(:bytesize)
-- 
cgit v1.2.3-24-ge0c7