|
 |
0865fc |
From 0de876c53fe9355f1e9a73e923519f2a2241f527 Mon Sep 17 00:00:00 2001
|
|
|
0865fc |
From: Aaron Patterson <aaron.patterson@gmail.com>
|
|
|
0865fc |
Date: Thu, 29 Oct 2015 10:42:44 -0700
|
|
|
0865fc |
Subject: [PATCH] use secure string comparisons for basic auth username /
|
|
|
0865fc |
password
|
|
|
0865fc |
|
|
|
0865fc |
this will avoid timing attacks against applications that use basic auth.
|
|
|
0865fc |
|
|
|
0865fc |
Conflicts:
|
|
|
0865fc |
activesupport/lib/active_support/security_utils.rb
|
|
|
0865fc |
|
|
|
0865fc |
CVE-2015-7576
|
|
|
0865fc |
---
|
|
|
0865fc |
.../action_controller/metal/http_authentication.rb | 7 +++++-
|
|
|
0865fc |
activesupport/lib/active_support/security_utils.rb | 27 ++++++++++++++++++++++
|
|
|
0865fc |
2 files changed, 33 insertions(+), 1 deletion(-)
|
|
|
0865fc |
create mode 100644 activesupport/lib/active_support/security_utils.rb
|
|
|
0865fc |
|
|
|
0865fc |
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
|
|
|
0865fc |
index 167df2f..db93e20 100644
|
|
|
0865fc |
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
|
|
|
0865fc |
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
|
|
|
0865fc |
@@ -1,4 +1,5 @@
|
|
|
0865fc |
require 'base64'
|
|
|
0865fc |
+require 'active_support/security_utils'
|
|
|
0865fc |
|
|
|
0865fc |
module ActionController
|
|
|
0865fc |
# Makes it dead easy to do HTTP Basic, Digest and Token authentication.
|
|
|
0865fc |
@@ -70,7 +71,11 @@ module ActionController
|
|
|
0865fc |
def http_basic_authenticate_with(options = {})
|
|
|
0865fc |
before_action(options.except(:name, :password, :realm)) do
|
|
|
0865fc |
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
|
|
|
0865fc |
- name == options[:name] && password == options[:password]
|
|
|
0865fc |
+ # This comparison uses & so that it doesn't short circuit and
|
|
|
0865fc |
+ # uses `variable_size_secure_compare` so that length information
|
|
|
0865fc |
+ # isn't leaked.
|
|
|
0865fc |
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
|
|
|
0865fc |
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
|
|
|
0865fc |
end
|
|
|
0865fc |
end
|
|
|
0865fc |
end
|
|
|
0865fc |
--
|
|
|
0865fc |
2.2.1
|
|
|
0865fc |
|