Permalink
Browse files

use secure string comparisons for basic auth username / password

this will avoid timing attacks against applications that use basic auth.

CVE-2015-7576
  • Loading branch information...
tenderlove committed Oct 29, 2015
1 parent 73521d5 commit 036bbda9eb3b3885223d53646777733a1547d89a
@@ -1,4 +1,5 @@
require 'base64'
require 'active_support/security_utils'
module ActionController
# Makes it dead easy to do HTTP Basic, Digest and Token authentication.
@@ -68,7 +69,11 @@ module ClassMethods
def http_basic_authenticate_with(options = {})
before_action(options.except(:name, :password, :realm)) do
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
name == options[:name] && password == options[:password]
# This comparison uses & so that it doesn't short circuit and
# uses `variable_size_secure_compare` so that length information
# isn't leaked.
ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
end
end
end
@@ -1,3 +1,5 @@
require 'digest'
module ActiveSupport
module SecurityUtils
# Constant time string comparison.
@@ -16,5 +18,10 @@ def secure_compare(a, b)
res == 0
end
module_function :secure_compare
def variable_size_secure_compare(a, b) # :nodoc:
secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
end
module_function :variable_size_secure_compare
end
end

0 comments on commit 036bbda

Please sign in to comment.