# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class MailHandlerController < ActionController::Base
+ include ActiveSupport::SecurityUtils
+
before_action :check_credential
# Displays the email submission form
def check_credential
User.current = nil
- unless Setting.mail_handler_api_enabled? && params[:key].to_s == Setting.mail_handler_api_key
+ unless Setting.mail_handler_api_enabled? && secure_compare(params[:key].to_s, Setting.mail_handler_api_key.to_s)
render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403
end
end
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class SysController < ActionController::Base
+ include ActiveSupport::SecurityUtils
+
before_action :check_enabled
def projects
def check_enabled
User.current = nil
- unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key
+ unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s)
render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403
return false
end
return nil unless action.present? && key =~ /\A[a-z0-9]+\z/i
token = Token.find_by(:action => action, :value => key)
- if token && (token.action == action) && (token.value == key) && token.user
- if validity_days.nil? || (token.created_on > validity_days.days.ago)
- token
- end
- end
+ return unless token
+ return unless token.action == action
+ return unless ActiveSupport::SecurityUtils.secure_compare(token.value.to_s, key)
+ return unless token.user
+ return unless validity_days.nil? || (token.created_on > validity_days.days.ago)
+
+ token
end
def self.generate_token_value
projects / redmine.git / commitdiff