blob: e6037d72efb0766dceb83495231e31f6904af953 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$NetBSD: patch-aa,v 1.3 2009/07/16 11:00:25 minskim Exp $
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
--- lib/action_controller/http_authentication.rb.orig 2009-07-16 03:45:19.000000000 -0700
+++ lib/action_controller/http_authentication.rb
@@ -183,7 +183,7 @@ module ActionController
request.env['REDIRECT_X_HTTP_AUTHORIZATION']
end
- # Raises error unless the request credentials response value matches the expected value.
+ # Returns false unless the request credentials response value matches the expected value.
# First try the password as a ha1 digest password. If this fails, then try it as a plain
# text password.
def validate_digest_response(request, realm, &password_procedure)
@@ -192,6 +192,7 @@ module ActionController
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
password = password_procedure.call(credentials[:username])
+ return false unless password
[true, false].any? do |password_is_ha1|
expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)
|
