diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:25:11 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:25:11 -0800 |
commit | 6dfab475ca230dfcad7a603483431c8e7a8f908e (patch) | |
tree | 69ca8ade43b0e39e1d8cffa68390e9052e589acf /actionpack/lib/action_controller/metal | |
parent | 14e92bac1a4c199e5e8936c6bdc64420293ea6d1 (diff) | |
parent | 908c011395cc9e3ea1bb195f9d1bd30a9d9df98f (diff) | |
download | rails-6dfab475ca230dfcad7a603483431c8e7a8f908e.tar.gz rails-6dfab475ca230dfcad7a603483431c8e7a8f908e.tar.bz2 rails-6dfab475ca230dfcad7a603483431c8e7a8f908e.zip |
Merge branch '5-0-beta-sec'
* 5-0-beta-sec:
bumping version
fix version update task to deal with .beta1.1
Eliminate instance level writers for class accessors
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
Diffstat (limited to 'actionpack/lib/action_controller/metal')
-rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 2ac6e37e34..35be6d9300 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -1,4 +1,5 @@ require 'base64' +require 'active_support/security_utils' module ActionController # Makes it dead easy to do HTTP Basic, Digest and Token authentication. @@ -68,7 +69,11 @@ module ActionController def http_basic_authenticate_with(options = {}) before_action(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| - name == options[:name] && password == options[:password] + # This comparison uses & so that it doesn't short circuit and + # uses `variable_size_secure_compare` so that length information + # isn't leaked. + ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & + ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end |