diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-10-29 10:42:44 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 14:57:14 -0800 |
commit | a6fa3960c3a149e83eb2ff057be4472a82958e3d (patch) | |
tree | 5f1fec107a443ee54507b9001edfcee8483d551c /actionpack | |
parent | 9dc8ddc39424818a3d713a353353ac20cb431218 (diff) | |
download | rails-a6fa3960c3a149e83eb2ff057be4472a82958e3d.tar.gz rails-a6fa3960c3a149e83eb2ff057be4472a82958e3d.tar.bz2 rails-a6fa3960c3a149e83eb2ff057be4472a82958e3d.zip |
use secure string comparisons for basic auth username / password
this will avoid timing attacks against applications that use basic auth.
Conflicts:
activesupport/lib/active_support/security_utils.rb
Conflicts:
actionpack/lib/action_controller/metal/http_authentication.rb
CVE-2015-7576
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index fe4ab65bba..2ae516097a 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -1,5 +1,6 @@ require 'active_support/base64' require 'active_support/core_ext/object/blank' +require 'active_support/security_utils' module ActionController module HttpAuthentication @@ -111,7 +112,11 @@ module ActionController def http_basic_authenticate_with(options = {}) before_filter(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| - name == options[:name] && password == options[:password] + # This comparison uses & so that it doesn't short circuit and + # uses `variable_size_secure_compare` so that length information + # isn't leaked. + ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & + ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end |