Merge pull request #24510 from vipulnsward/make-variable_size_secure_compare-public

Make variable_size_secure_compare public
author: Rafael Mendonça França <rafaelmfranca@gmail.com> 2017-11-25 11:39:37 -0500
committer: Rafael Mendonça França <rafaelmfranca@gmail.com> 2017-11-25 11:39:37 -0500
commit: 0623b5d19408ef3093bef3597bfcb12cf70a08a3 (patch)
tree: 9027e49a5e270a5fe61088f3d38adb05854c88ed /actionpack/lib/action_controller/metal/http_authentication.rb
parent: 8c750ffb92a8e5ee5661875c52dbc1a7686fb1bc (diff)
parent: fa487763d98ccf9c3e66fdb44f09af5c37a50fe5 (diff)
download: rails-0623b5d19408ef3093bef3597bfcb12cf70a08a3.tar.gz
rails-0623b5d19408ef3093bef3597bfcb12cf70a08a3.tar.bz2
rails-0623b5d19408ef3093bef3597bfcb12cf70a08a3.zip
1 files changed, 4 insertions, 7 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 0c8132684a..01676f3237 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -72,10 +72,10 @@ module ActionController
             before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
                 # This comparison uses & so that it doesn't short circuit and
-                # uses `variable_size_secure_compare` so that length information
+                # uses `secure_compare` so that length information
                 # isn't leaked.
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+                ActiveSupport::SecurityUtils.secure_compare(name, options[:name]) &
+                  ActiveSupport::SecurityUtils.secure_compare(password, options[:password])
               end
             end
           end
@@ -350,10 +350,7 @@ module ActionController
     #         authenticate_or_request_with_http_token do |token, options|
     #           # Compare the tokens in a time-constant manner, to mitigate
     #           # timing attacks.
-    #           ActiveSupport::SecurityUtils.secure_compare(
-    #             ::Digest::SHA256.hexdigest(token),
-    #             ::Digest::SHA256.hexdigest(TOKEN)
-    #           )
+    #           ActiveSupport::SecurityUtils.secure_compare(token, TOKEN)
     #         end
     #       end
     #   end
author	Rafael Mendonça França <rafaelmfranca@gmail.com>	2017-11-25 11:39:37 -0500
committer	Rafael Mendonça França <rafaelmfranca@gmail.com>	2017-11-25 11:39:37 -0500
commit	0623b5d19408ef3093bef3597bfcb12cf70a08a3 (patch)
tree	9027e49a5e270a5fe61088f3d38adb05854c88ed /actionpack/lib/action_controller/metal/http_authentication.rb
parent	8c750ffb92a8e5ee5661875c52dbc1a7686fb1bc (diff)
parent	fa487763d98ccf9c3e66fdb44f09af5c37a50fe5 (diff)
download	rails-0623b5d19408ef3093bef3597bfcb12cf70a08a3.tar.gz rails-0623b5d19408ef3093bef3597bfcb12cf70a08a3.tar.bz2 rails-0623b5d19408ef3093bef3597bfcb12cf70a08a3.zip