| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
`authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
|
|
|
|
|
|
| |
this will avoid timing attacks against applications that use basic auth.
CVE-2015-7576
|
|\
| |
| |
| | |
Handle tab in token authentication header.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The HTTP spec allows for LWS to precede the header content, which
could include multiple SP and HT characters. Update the regex used to
match the Token authorization header to account for this, instead of
matching on a single SP.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant
parts of the specification.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries
that support multiple Rails versions would've had to feature-detect
whether to use `Mime::Type[:FOO]` or `Mime::FOO`.
`Mime[:foo]` has been around for ages to look up registered MIME types
by symbol / extension, though, so libraries and plugins can safely
switch to that without breaking backward- or forward-compatibility.
Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup
by type or extension, so it's not available as `Mime[:all]`. We use it
internally as a wildcard for `respond_to` negotiation. If you use this
internal constant, continue to reference it with `Mime::ALL`.
Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
|
| | |
|
| |
| |
| | |
As we all know that Accessing mime types via constants is deprecated. Now, we are using `Mime::Type[:JSON]` instead of `Mime::JSON`
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| |
| |
| |
| | |
[ci skip]
|
| | |
|
| |
| |
| |
| | |
Digest allowed the messages.
Add the same feature to basic and token
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://github.com/ruby/ruby/pull/579 - there is a new optimization
since ruby 2.2
Previously regexp patterns were faster (since a string was converted to
regexp underneath anyway). But now string patterns are faster and
better reflect the purpose.
Benchmark.ips do |bm|
bm.report('regexp') { 'this is ::a random string'.gsub(/::/, '/') }
bm.report('string') { 'this is ::a random string'.gsub('::', '/') }
bm.compare!
end
# string: 753724.4 i/s
# regexp: 501443.1 i/s - 1.50x slower
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
Example does not work with session headers, should use request headers. [ci skip]
|
|\ \
| | |
| | |
| | | |
Allow authentication header to not have to specify 'token=' key.
|
| | |
| | |
| | |
| | | |
Fixes: https://github.com/rails/rails/issues/17108.
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
I grepped the source code for code snippets wrapped in backticks in the comments
and replaced the backticks with plus signs so they are correctly displayed in
the Rails documentation.
[ci skip]
|
| |
| |
| |
| | |
add a test case to test the regex for the helper method raw_params
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
The 401 status should be set first because setting the response body in
a live controller also closes the response to further changes.
Fixes #14229.
|
|\ \
| | |
| | | |
Check authentication scheme in Basic auth
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".
Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.
This fixes #10257.
|
| |/
|/| |
|
|/
|
|
| |
ref #14062
|
| |
|
| |
|
|
|
|
|
| |
This reverts commit 637a7d9d357a0f3f725b0548282ca8c5e7d4af4a, reversing
changes made to 5937bd02dee112646469848d7fe8a8bfcef5b4c1.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding a test for the equal trun bug
Adding a test for the after equal trunc bug
Adding a test for the slash bug
Adding a test for the slash quote bug
Adding a helper method for creating a sample request object with token
Writing a method to create params array from raw params
Writing a method to rewrite param values in the params
Writing a method to get the token params from an authorization value
Refactoring the token_and_options method to fix bugs
Removing unnessecary test
A constant for this shared regex seemed appropriate
Wanting to split up this logic
Adding small documentation pieces
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
Conflicts:
activemodel/lib/active_model/secure_password.rb
activerecord/lib/active_record/associations/collection_proxy.rb
|
| |
| |
| |
| | |
HTTP Token authentication in integration tests
|
|\ \
| | |
| | | |
Fix for digest authentication bug - issue #2301 in rails/rails
|
| | | |
|
|/ / |
|
|/
|
|
|
| |
Conflicts:
actionpack/lib/action_controller/metal/http_authentication.rb
|