use secure string comparisons for basic auth username / password

this will avoid timing attacks against applications that use basic auth. CVE-2015-7576
2015-10-29 10:42:44 -07:00 · 2015-10-29 10:42:44 -07:00 · 17e6f1507b
commit 17e6f1507b
parent 099ddfdefd
2 changed files with 13 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@ -1,4 +1,5 @@
 require 'base64'
+require 'active_support/security_utils'

 module ActionController
  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
@ -68,7 +69,11 @@ module ClassMethods
          def http_basic_authenticate_with(options = {})
            before_action(options.except(:name, :password, :realm)) do
              authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                name == options[:name] && password == options[:password]
+                # This comparison uses & so that it doesn't short circuit and
+                # uses `variable_size_secure_compare` so that length information
+                # isn't leaked.
+                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
              end
            end
          end
--- a/activesupport/lib/active_support/security_utils.rb
+++ b/activesupport/lib/active_support/security_utils.rb
@ -1,3 +1,5 @@
+require 'digest'
+
 module ActiveSupport
  module SecurityUtils
    # Constant time string comparison.
@ -16,5 +18,10 @@ def secure_compare(a, b)
      res == 0
    end
    module_function :secure_compare
+
+    def variable_size_secure_compare(a, b) # :nodoc:
+      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
+    end
+    module_function :variable_size_secure_compare
  end
 end