lib/rack/session/cookie.rb in rack-1.5.1 vs lib/rack/session/cookie.rb in rack-1.5.2
- old
+ new
@@ -63,10 +63,23 @@
def decode(str)
return unless str
::Marshal.load(super(str)) rescue nil
end
end
+
+ # N.B. Unlike other encoding methods, the contained objects must be a
+ # valid JSON composite type, either a Hash or an Array.
+ class JSON < Base64
+ def encode(obj)
+ super(::Rack::Utils::OkJson.encode(obj))
+ end
+
+ def decode(str)
+ return unless str
+ ::Rack::Utils::OkJson.decode(super(str)) rescue nil
+ end
+ end
end
# Use no encoding for session cookies
class Identity
def encode(str); str; end
@@ -150,10 +163,10 @@
end
def digest_match?(data, digest)
return unless data && digest
@secrets.any? do |secret|
- digest == generate_hmac(data, secret)
+ Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
end
end
def generate_hmac(data, secret)
OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)