aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorAaron Patterson <aaron.patterson@gmail.com>2015-10-29 10:42:44 -0700
committerAaron Patterson <aaron.patterson@gmail.com>2016-01-22 14:57:14 -0800
commita6fa3960c3a149e83eb2ff057be4472a82958e3d (patch)
tree5f1fec107a443ee54507b9001edfcee8483d551c /actionpack
parent9dc8ddc39424818a3d713a353353ac20cb431218 (diff)
downloadrails-a6fa3960c3a149e83eb2ff057be4472a82958e3d.tar.gz
rails-a6fa3960c3a149e83eb2ff057be4472a82958e3d.tar.bz2
rails-a6fa3960c3a149e83eb2ff057be4472a82958e3d.zip
use secure string comparisons for basic auth username / password
this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_controller/metal/http_authentication.rb7
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index fe4ab65bba..2ae516097a 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -1,5 +1,6 @@
require 'active_support/base64'
require 'active_support/core_ext/object/blank'
+require 'active_support/security_utils'
module ActionController
module HttpAuthentication
@@ -111,7 +112,11 @@ module ActionController
def http_basic_authenticate_with(options = {})
before_filter(options.except(:name, :password, :realm)) do
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
- name == options[:name] && password == options[:password]
+ # This comparison uses & so that it doesn't short circuit and
+ # uses `variable_size_secure_compare` so that length information
+ # isn't leaked.
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
end
end
end