Fix urlsafe MessageVerifier not to include padding

shouichi · shouichi · commit 08afa160a568 · 2022-06-22T15:15:02.000+09:00
urlsafe option was introduced to MessageVerifier in 09c3f36 but it can generate strings containing padding character ("=") which is not urlsafe. Fix not to pad when base64 encode.
diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb
@@ -210,7 +210,7 @@ def generate(value, expires_at: nil, expires_in: nil, purpose: nil)
 
     private
       def encode(data)
-        @urlsafe ? Base64.urlsafe_encode64(data) : Base64.strict_encode64(data)
+        @urlsafe ? Base64.urlsafe_encode64(data, padding: false) : Base64.strict_encode64(data)
       end
 
       def decode(data)
diff --git a/activesupport/test/message_verifier_test.rb b/activesupport/test/message_verifier_test.rb
@@ -360,6 +360,11 @@ def test_urlsafe
     assert_equal message, URI.encode_www_form_component(message)
   end
 
+  def test_no_padding
+    message = generate("a")
+    assert_not_includes message, "="
+  end
+
   private
     def verifier_options
       { urlsafe: true }
