From e49eaf1f800aa2b12d0dcd674bee4e152ed3b124 Mon Sep 17 00:00:00 2001
From: Pavel Valena <pvalena@redhat.com>
Date: Tue, 26 Jan 2016 20:07:08 +0100
Subject: [PATCH] Fix timing attack vulnerability
---
lib/action_controller/metal/http_authentication.rb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/action_controller/metal/http_authentication.rb b/lib/action_controller/metal/http_authentication.rb
index a219d35..2777d0f 100644
--- a/lib/action_controller/metal/http_authentication.rb
+++ b/lib/action_controller/metal/http_authentication.rb
@@ -1,4 +1,5 @@
require 'base64'
+require 'active_support/security_utils'
module ActionController
# Makes it dead easy to do HTTP Basic, Digest and Token authentication.
@@ -68,7 +69,11 @@ module ActionController
def http_basic_authenticate_with(options = {})
before_action(options.except(:name, :password, :realm)) do
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
- name == options[:name] && password == options[:password]
+ # This comparison uses & so that it doesn't short circuit and
+ # uses `variable_size_secure_compare` so that length information
+ # isn't leaked.
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
end
end
end
--
2.5.0