diff options
| author | Nick Malcolm <nick@revert.io> | 2016-04-12 00:14:09 +1200 |
|---|---|---|
| committer | Nick Malcolm <nick@revert.io> | 2016-04-12 09:41:51 +1200 |
| commit | 750e6dafd23698ad3cd363cd52c55502b1a12375 (patch) | |
| tree | 50c7a31697012d318e26578dfa441dddb554b094 /actionpack/lib/action_controller | |
| parent | 0caf8ffd7d19a3a3c8d7eca158b4ea66185ce4ae (diff) | |
| download | rails-750e6dafd23698ad3cd363cd52c55502b1a12375.tar.gz rails-750e6dafd23698ad3cd363cd52c55502b1a12375.tar.bz2 rails-750e6dafd23698ad3cd363cd52c55502b1a12375.zip | |
[ci skip] This modifies the HTTP Token authentication example's `authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 35be6d9300..53527c08b6 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -347,7 +347,12 @@ module ActionController # private # def authenticate # authenticate_or_request_with_http_token do |token, options| - # token == TOKEN + # # Compare the tokens in a time-constant manner, to mitigate + # # timing attacks. + # ActiveSupport::SecurityUtils.secure_compare( + # ::Digest::SHA256.hexdigest(token), + # ::Digest::SHA256.hexdigest(TOKEN) + # ) # end # end # end |