diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-10-29 10:42:44 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 14:55:14 -0800 |
| commit | 17e6f1507b7f2c2a883c180f4f9548445d6dfbda (patch) | |
| tree | e9dd60b7d1a2f90407b264c8e1f7555119e3c698 | |
| parent | 099ddfdefd44fda11d0f6a72f934f8a0ee83141b (diff) | |
| download | rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.tar.gz rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.tar.bz2 rails-17e6f1507b7f2c2a883c180f4f9548445d6dfbda.zip | |
use secure string comparisons for basic auth username / password
this will avoid timing attacks against applications that use basic auth.
CVE-2015-7576
| -rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 | ||||
| -rw-r--r-- | activesupport/lib/active_support/security_utils.rb | 7 |
2 files changed, 13 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 2ac6e37e34..35be6d9300 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -1,4 +1,5 @@ require 'base64' +require 'active_support/security_utils' module ActionController # Makes it dead easy to do HTTP Basic, Digest and Token authentication. @@ -68,7 +69,11 @@ module ActionController def http_basic_authenticate_with(options = {}) before_action(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| - name == options[:name] && password == options[:password] + # This comparison uses & so that it doesn't short circuit and + # uses `variable_size_secure_compare` so that length information + # isn't leaked. + ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & + ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb index 64c4801179..9be8613ada 100644 --- a/activesupport/lib/active_support/security_utils.rb +++ b/activesupport/lib/active_support/security_utils.rb @@ -1,3 +1,5 @@ +require 'digest' + module ActiveSupport module SecurityUtils # Constant time string comparison. @@ -16,5 +18,10 @@ module ActiveSupport res == 0 end module_function :secure_compare + + def variable_size_secure_compare(a, b) # :nodoc: + secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) + end + module_function :variable_size_secure_compare end end |