From: Go MAEDA Date: Fri, 26 Mar 2021 05:10:59 +0000 (+0000) Subject: Merged r20854 from trunk to 4.1-stable (#34950). X-Git-Tag: 4.1.3~13 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=23e09ef64e26d6f63dcdcd624827440d9ad05f93;p=redmine.git Merged r20854 from trunk to 4.1-stable (#34950). git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@20855 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/mail_handler_controller.rb b/app/controllers/mail_handler_controller.rb index 389cd6f73..9b96c791d 100644 --- a/app/controllers/mail_handler_controller.rb +++ b/app/controllers/mail_handler_controller.rb @@ -18,6 +18,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class MailHandlerController < ActionController::Base + include ActiveSupport::SecurityUtils + before_action :check_credential # Displays the email submission form @@ -39,7 +41,7 @@ class MailHandlerController < ActionController::Base def check_credential User.current = nil - unless Setting.mail_handler_api_enabled? && params[:key].to_s == Setting.mail_handler_api_key + unless Setting.mail_handler_api_enabled? && secure_compare(params[:key].to_s, Setting.mail_handler_api_key.to_s) render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403 end end diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb index f217ee280..2d3e74849 100644 --- a/app/controllers/sys_controller.rb +++ b/app/controllers/sys_controller.rb @@ -18,6 +18,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class SysController < ActionController::Base + include ActiveSupport::SecurityUtils + before_action :check_enabled def projects @@ -76,7 +78,7 @@ class SysController < ActionController::Base def check_enabled User.current = nil - unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key + unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s) render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403 return false end diff --git a/app/models/token.rb b/app/models/token.rb index 8e93918ec..55fded67e 100644 --- a/app/models/token.rb +++ b/app/models/token.rb @@ -115,11 +115,13 @@ class Token < ActiveRecord::Base return nil unless action.present? && /\A[a-z0-9]+\z/i.match?(key) token = Token.find_by(:action => action, :value => key) - if token && (token.action == action) && (token.value == key) && token.user - if validity_days.nil? || (token.created_on > validity_days.days.ago) - token - end - end + return unless token + return unless token.action == action + return unless ActiveSupport::SecurityUtils.secure_compare(token.value.to_s, key) + return unless token.user + return unless validity_days.nil? || (token.created_on > validity_days.days.ago) + + token end def self.generate_token_value