aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
diff options
context:
space:
mode:
authorAaron Patterson <aaron.patterson@gmail.com>2012-07-26 13:30:15 -0700
committerAaron Patterson <aaron.patterson@gmail.com>2012-07-26 13:30:15 -0700
commit27311fef5efa598f281649074255834546d2b4ec (patch)
tree4439dda1fa980ca94caa26241cb4dd0acc3cd240 /actionpack/lib
parent753c546df4c8d639a8402552bdd5c9d077610f6c (diff)
downloadrails-27311fef5efa598f281649074255834546d2b4ec.tar.gz
rails-27311fef5efa598f281649074255834546d2b4ec.tar.bz2
rails-27311fef5efa598f281649074255834546d2b4ec.zip
* Do not convert digest auth strings to symbols. CVE-2012-3424
Diffstat (limited to 'actionpack/lib')
-rw-r--r--actionpack/lib/action_controller/metal/http_authentication.rb4
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 9f2f5476fa..fe4ab65bba 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -227,9 +227,9 @@ module ActionController
end
def decode_credentials(header)
- Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+ HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
key, value = pair.split('=', 2)
- [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
+ [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
end]
end