Custom serializers and deserializers in MessageVerifier and MessageEncryptor.

By default, these classes use Marshal for serializing and deserializing messages. Unfortunately, the Marshal format is closely associated with Ruby internals and even changes between different interpreters. This makes the resulting message very hard to impossible to unserialize messages generated by these classes in other environments like node.js.

This patch solves this by allowing you to set your own custom serializer and deserializer lambda functions. By default, it still uses Marshal to be backwards compatible.

1 files changed, 6 insertions, 2 deletions

diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb
index 8f3946325a..e38e242cfe 100644
--- a/activesupport/lib/active_support/message_verifier.rb
+++ b/activesupport/lib/active_support/message_verifier.rb
@@ -21,9 +21,13 @@ module ActiveSupport
   class MessageVerifier
     class InvalidSignature < StandardError; end
 
+    attr_accessor :serializer, :deserializer
+    
     def initialize(secret, digest = 'SHA1')
       @secret = secret
       @digest = digest
+      @serializer = lambda { |value| Marshal.dump(value) }
+      @deserializer = lambda { |value| Marshal.load(value) }
     end
 
     def verify(signed_message)
@@ -31,14 +35,14 @@ module ActiveSupport
 
       data, digest = signed_message.split("--")
       if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
-        Marshal.load(ActiveSupport::Base64.decode64(data))
+        deserializer.call(ActiveSupport::Base64.decode64(data))
       else
         raise InvalidSignature
       end
     end
 
     def generate(value)
-      data = ActiveSupport::Base64.encode64s(Marshal.dump(value))
+      data = ActiveSupport::Base64.encode64s(serializer.call(value))
       "#{data}--#{generate_digest(data)}"
     end