* Do not convert digest auth strings to symbols. CVE-2012-3424

author: Aaron Patterson <aaron.patterson@gmail.com> 2012-07-26 13:30:15 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2012-07-26 13:30:15 -0700
commit: 27311fef5efa598f281649074255834546d2b4ec (patch)
tree: 4439dda1fa980ca94caa26241cb4dd0acc3cd240 /actionpack/lib
parent: 753c546df4c8d639a8402552bdd5c9d077610f6c (diff)
download: rails-27311fef5efa598f281649074255834546d2b4ec.tar.gz
rails-27311fef5efa598f281649074255834546d2b4ec.tar.bz2
rails-27311fef5efa598f281649074255834546d2b4ec.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 9f2f5476fa..fe4ab65bba 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -227,9 +227,9 @@ module ActionController
       end
 
       def decode_credentials(header)
-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
           key, value = pair.split('=', 2)
-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
+          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
         end]
       end
author	Aaron Patterson <aaron.patterson@gmail.com>	2012-07-26 13:30:15 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2012-07-26 13:30:15 -0700
commit	27311fef5efa598f281649074255834546d2b4ec (patch)
tree	4439dda1fa980ca94caa26241cb4dd0acc3cd240 /actionpack/lib
parent	753c546df4c8d639a8402552bdd5c9d077610f6c (diff)
download	rails-27311fef5efa598f281649074255834546d2b4ec.tar.gz rails-27311fef5efa598f281649074255834546d2b4ec.tar.bz2 rails-27311fef5efa598f281649074255834546d2b4ec.zip