aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2015-02-18 19:37:56 -0200
committerRafael Mendonça França <rafaelmfranca@gmail.com>2015-02-18 19:37:56 -0200
commitd0303d03a94994b7653c629f3cf1578c82a3eccf (patch)
treef29856ba45c6de0141d8ea0cca9f2b49a0b17e8b /actionpack
parentfb876b8a2c9445dc989742a8ea64f8fdcbc7705e (diff)
downloadrails-d0303d03a94994b7653c629f3cf1578c82a3eccf.tar.gz
rails-d0303d03a94994b7653c629f3cf1578c82a3eccf.tar.bz2
rails-d0303d03a94994b7653c629f3cf1578c82a3eccf.zip
Try only to decode strings
This approach will avoid us to check for NoMethodError when trying to decode
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb6
1 files changed, 4 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 7a7e2431b2..367b736035 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -275,11 +275,13 @@ module ActionController #:nodoc:
# session token. Essentially the inverse of
# +masked_authenticity_token+.
def valid_authenticity_token?(session, encoded_masked_token)
- return false if encoded_masked_token.nil? || encoded_masked_token.empty?
+ if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
+ return false
+ end
begin
masked_token = Base64.strict_decode64(encoded_masked_token)
- rescue ArgumentError, NoMethodError # encoded_masked_token is invalid Base64
+ rescue ArgumentError # encoded_masked_token is invalid Base64
return false
end