Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix basic auth bypass vulnerability
Serious vulnerability discovered, please update to latest code.
  • Loading branch information
werkshy committed Sep 15, 2015
1 parent a0cdab4 commit 04b2238
Showing 1 changed file with 2 additions and 5 deletions.
7 changes: 2 additions & 5 deletions app/controllers/application_controller.rb
Expand Up @@ -15,16 +15,14 @@ def basic_auth
expected_password = ENV.fetch("DYNOSAUR_PASSWORD", DEFAULT_PASSWORD)
if username != expected_username
puts "Failed username"
return false
return request_http_basic_authentication
end
if expected_password == password
@passed_auth=true
return true
else
begin
bcyrpt_password = BCrypt::Password.new(expected_password)
if bcyrpt_password == password
@passed_auth=true
return true
else
puts "Failed password"
Expand All @@ -35,8 +33,7 @@ def basic_auth

end
puts "ERROR: Failed basic auth"
request_http_basic_authentication
return false
return request_http_basic_authentication
end
end

Expand Down

0 comments on commit 04b2238

Please sign in to comment.