From 750e6dafd23698ad3cd363cd52c55502b1a12375 Mon Sep 17 00:00:00 2001
From: Nick Malcolm <nick@revert.io>
Date: Tue, 12 Apr 2016 00:14:09 +1200
Subject: [ci skip] This modifies the HTTP Token authentication example's
 `authenticate` method, to use the `secure_compare` method with two
 constant-length strings. This defends against timing attacks, and is best
 practice. Using `==` for sensitive actions is not recommended, and this was
 the source of a CVE fixed in October 2015:
 https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda

---
 actionpack/lib/action_controller/metal/http_authentication.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/metal/http_authentication.rb')

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 35be6d9300..53527c08b6 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -347,7 +347,12 @@ module ActionController
     #     private
     #       def authenticate
     #         authenticate_or_request_with_http_token do |token, options|
-    #           token == TOKEN
+    #           # Compare the tokens in a time-constant manner, to mitigate
+    #           # timing attacks.
+    #           ActiveSupport::SecurityUtils.secure_compare(
+    #             ::Digest::SHA256.hexdigest(token),
+    #             ::Digest::SHA256.hexdigest(TOKEN)
+    #           )
     #         end
     #       end
     #   end
-- 
cgit v1.2.3