Skip to content
This repository
Browse code

* Do not convert digest auth strings to symbols. CVE-2012-3424

Conflicts:
	actionpack/lib/action_controller/metal/http_authentication.rb
  • Loading branch information...
commit fee0bc57385b564b2789d199969ac26409603188 1 parent 90c9ae5
Aaron Patterson authored
4  actionpack/lib/action_controller/metal/http_authentication.rb
@@ -229,9 +229,9 @@ def decode_credentials_header(request)
229 229
       end
230 230
 
231 231
       def decode_credentials(header)
232  
-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
  232
+        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
233 233
           key, value = pair.split('=', 2)
234  
-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').delete('\'')]
  234
+          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
235 235
         end]
236 236
       end
237 237
 

0 notes on commit fee0bc5

Please sign in to comment.
Something went wrong with that request. Please try again.