From d0303d03a94994b7653c629f3cf1578c82a3eccf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Wed, 18 Feb 2015 19:37:56 -0200
Subject: Try only to decode strings

This approach will avoid us to check for NoMethodError when trying to
decode
---
 .../lib/action_controller/metal/request_forgery_protection.rb       | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 7a7e2431b2..367b736035 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -275,11 +275,13 @@ module ActionController #:nodoc:
       # session token. Essentially the inverse of
       # +masked_authenticity_token+.
       def valid_authenticity_token?(session, encoded_masked_token)
-        return false if encoded_masked_token.nil? || encoded_masked_token.empty?
+        if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
+          return false
+        end
 
         begin
           masked_token = Base64.strict_decode64(encoded_masked_token)
-        rescue ArgumentError, NoMethodError # encoded_masked_token is invalid Base64
+        rescue ArgumentError # encoded_masked_token is invalid Base64
           return false
         end
 
-- 
cgit v1.2.3