Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

* Do not convert digest auth strings to symbols. CVE-2012-3424

  • Loading branch information...
commit b88cc8aa31ca1f06668700dd0ebe2b54ece8bba1 1 parent 32b4cbc
@tenderlove tenderlove authored
Showing with 2 additions and 2 deletions.
  1. +2 −2 actionpack/lib/action_controller/metal/http_authentication.rb
View
4 actionpack/lib/action_controller/metal/http_authentication.rb
@@ -217,9 +217,9 @@ def decode_credentials_header(request)
end
def decode_credentials(header)
- Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+ HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
key, value = pair.split('=', 2)
- [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
+ [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
end]
end
Please sign in to comment.
Something went wrong with that request. Please try again.