Merged r20854 from trunk to 4.1-stable (#34950).

author Go MAEDA <maeda@farend.jp>

Fri, 26 Mar 2021 05:10:59 +0000 (05:10 +0000)

committer Go MAEDA <maeda@farend.jp>

Fri, 26 Mar 2021 05:10:59 +0000 (05:10 +0000)
author Go MAEDA <maeda@farend.jp>
Fri, 26 Mar 2021 05:10:59 +0000 (05:10 +0000)
committer Go MAEDA <maeda@farend.jp>
Fri, 26 Mar 2021 05:10:59 +0000 (05:10 +0000)
diff --git a/app/controllers/mail_handler_controller.rb b/app/controllers/mail_handler_controller.rb

index 389cd6f73a94d1b9db7fa21b04ce2cfe91be77ba..9b96c791d28679cd75ec8847a877f36a559a869b 100644 (file)
--- a/app/controllers/mail_handler_controller.rb
+++ b/app/controllers/mail_handler_controller.rb
@@ -18,6 +18,8 @@
  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  
  class MailHandlerController < ActionController::Base
+  include ActiveSupport::SecurityUtils
+
    before_action :check_credential
  
    # Displays the email submission form
@@ -39,7 +41,7 @@ class MailHandlerController < ActionController::Base
  
    def check_credential
      User.current = nil
-    unless Setting.mail_handler_api_enabled? && params[:key].to_s == Setting.mail_handler_api_key
+    unless Setting.mail_handler_api_enabled? && secure_compare(params[:key].to_s, Setting.mail_handler_api_key.to_s)
        render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403
      end
    end
diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb

index f217ee280cae21ac4f0e8866c5e3093dbd55c418..2d3e7484961de00edb94d26f9f967daec063d8ad 100644 (file)
--- a/app/controllers/sys_controller.rb
+++ b/app/controllers/sys_controller.rb
@@ -18,6 +18,8 @@
  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  
  class SysController < ActionController::Base
+  include ActiveSupport::SecurityUtils
+
    before_action :check_enabled
  
    def projects
@@ -76,7 +78,7 @@ class SysController < ActionController::Base
  
    def check_enabled
      User.current = nil
-    unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key
+    unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s)
        render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403
        return false
      end
diff --git a/app/models/token.rb b/app/models/token.rb

index 8e93918ecfa24d1ab89cbe54fff35d8983944aca..55fded67e1ef83d7feafb22fc0e5013455476219 100644 (file)
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -115,11 +115,13 @@ class Token < ActiveRecord::Base
      return nil unless action.present? && /\A[a-z0-9]+\z/i.match?(key)
  
      token = Token.find_by(:action => action, :value => key)
-    if token && (token.action == action) && (token.value == key) && token.user
-      if validity_days.nil? || (token.created_on > validity_days.days.ago)
-        token
-      end
-    end
+    return unless token
+    return unless token.action == action
+    return unless ActiveSupport::SecurityUtils.secure_compare(token.value.to_s, key)
+    return unless token.user
+    return unless validity_days.nil? || (token.created_on > validity_days.days.ago)
+
+    token
    end
  
    def self.generate_token_value
author	Go MAEDA <maeda@farend.jp>
	Fri, 26 Mar 2021 05:10:59 +0000 (05:10 +0000)
committer	Go MAEDA <maeda@farend.jp>
	Fri, 26 Mar 2021 05:10:59 +0000 (05:10 +0000)
app/controllers/mail_handler_controller.rb		patch \| blob \| history
app/controllers/sys_controller.rb		patch \| blob \| history
app/models/token.rb		patch \| blob \| history