diff options
author | Nick Malcolm <nick@revert.io> | 2016-04-12 00:14:09 +1200 |
---|---|---|
committer | Nick Malcolm <nick@revert.io> | 2016-04-12 09:41:51 +1200 |
commit | 750e6dafd23698ad3cd363cd52c55502b1a12375 (patch) | |
tree | 50c7a31697012d318e26578dfa441dddb554b094 /railties/lib/rails/generators/erb/controller/templates | |
parent | 0caf8ffd7d19a3a3c8d7eca158b4ea66185ce4ae (diff) | |
download | rails-750e6dafd23698ad3cd363cd52c55502b1a12375.tar.gz rails-750e6dafd23698ad3cd363cd52c55502b1a12375.tar.bz2 rails-750e6dafd23698ad3cd363cd52c55502b1a12375.zip |
[ci skip] This modifies the HTTP Token authentication example's `authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
Diffstat (limited to 'railties/lib/rails/generators/erb/controller/templates')
0 files changed, 0 insertions, 0 deletions