Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
root@ef0f9d3cc50e:/app# diff /usr/local/bundle/gems/actionpack-5.2.5/lib/action_controller/metal/request_forgery_protection.rb /usr/local/bundle/gems/actionpack-5.2.4.5/lib/action_controller/metal/request_forgery_protection.rb --color
323a324,328
> one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
> encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
> masked_token = one_time_pad + encrypted_csrf_token
> Base64.urlsafe_encode64(masked_token, padding: false)
>
336c341
< masked_token = Base64.urlsafe_decode64(encoded_masked_token)
---
> masked_token = Base64.strict_decode64(encoded_masked_token)
374c379
< Base64.urlsafe_encode64(masked_token).delete("=")
---
> Base64.strict_encode64(masked_token)
400,401c405,406
< session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
< Base64.urlsafe_decode64(session[:_csrf_token])
---
> session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
> Base64.strict_decode64(session[:_csrf_token])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment