summaryrefslogtreecommitdiffstats
path: root/app/controllers/sys_controller.rb
diff options
context:
space:
mode:
authorGo MAEDA <maeda@farend.jp>2021-03-26 05:08:03 +0000
committerGo MAEDA <maeda@farend.jp>2021-03-26 05:08:03 +0000
commit770a31a78ec1c48f9bee7d61b61e1f0d00a60478 (patch)
treeaf175031430d47a9e24bc9a0b2ee6f2f4d5de9e8 /app/controllers/sys_controller.rb
parent184eece3e546aaed7ac0090397f12609b33c3dc8 (diff)
downloadredmine-770a31a78ec1c48f9bee7d61b61e1f0d00a60478.tar.gz
redmine-770a31a78ec1c48f9bee7d61b61e1f0d00a60478.zip
Use secure_compare to validate keys (#34950).
Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@20854 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers/sys_controller.rb')
-rw-r--r--app/controllers/sys_controller.rb4
1 files changed, 3 insertions, 1 deletions
diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb
index 014dae387..dcfca346f 100644
--- a/app/controllers/sys_controller.rb
+++ b/app/controllers/sys_controller.rb
@@ -18,6 +18,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class SysController < ActionController::Base
+ include ActiveSupport::SecurityUtils
+
before_action :check_enabled
def projects
@@ -76,7 +78,7 @@ class SysController < ActionController::Base
def check_enabled
User.current = nil
- unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key
+ unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s)
render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403
return false
end