Use secure_compare to validate keys (#34950).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@20854 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Go MAEDA <maeda@farend.jp> 2021-03-26 05:08:03 +0000
committer: Go MAEDA <maeda@farend.jp> 2021-03-26 05:08:03 +0000
commit: 770a31a78ec1c48f9bee7d61b61e1f0d00a60478 (patch)
tree: af175031430d47a9e24bc9a0b2ee6f2f4d5de9e8 /app
parent: 184eece3e546aaed7ac0090397f12609b33c3dc8 (diff)
download: redmine-770a31a78ec1c48f9bee7d61b61e1f0d00a60478.tar.gz
redmine-770a31a78ec1c48f9bee7d61b61e1f0d00a60478.zip
3 files changed, 13 insertions, 7 deletions
diff --git a/app/controllers/mail_handler_controller.rb b/app/controllers/mail_handler_controller.rb
index 1470d67c6..0165f848f 100644
--- a/app/controllers/mail_handler_controller.rb
+++ b/app/controllers/mail_handler_controller.rb
@@ -18,6 +18,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class MailHandlerController < ActionController::Base
+  include ActiveSupport::SecurityUtils
+
   before_action :check_credential
 
   # Displays the email submission form
@@ -39,7 +41,7 @@ class MailHandlerController < ActionController::Base
 
   def check_credential
     User.current = nil
-    unless Setting.mail_handler_api_enabled? && params[:key].to_s == Setting.mail_handler_api_key
+    unless Setting.mail_handler_api_enabled? && secure_compare(params[:key].to_s, Setting.mail_handler_api_key.to_s)
       render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403
     end
   end
diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb
index 014dae387..dcfca346f 100644
--- a/app/controllers/sys_controller.rb
+++ b/app/controllers/sys_controller.rb
@@ -18,6 +18,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class SysController < ActionController::Base
+  include ActiveSupport::SecurityUtils
+
   before_action :check_enabled
 
   def projects
@@ -76,7 +78,7 @@ class SysController < ActionController::Base
 
   def check_enabled
     User.current = nil
-    unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key
+    unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s)
       render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403
       return false
     end
diff --git a/app/models/token.rb b/app/models/token.rb
index 52eef807a..5f91cfa95 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -116,11 +116,13 @@ class Token < ActiveRecord::Base
     return nil unless action.present? && /\A[a-z0-9]+\z/i.match?(key)
 
     token = Token.find_by(:action => action, :value => key)
-    if token && (token.action == action) && (token.value == key) && token.user
-      if validity_days.nil? || (token.created_on > validity_days.days.ago)
-        token
-      end
-    end
+    return unless token
+    return unless token.action == action
+    return unless ActiveSupport::SecurityUtils.secure_compare(token.value.to_s, key)
+    return unless token.user
+    return unless validity_days.nil? || (token.created_on > validity_days.days.ago)
+
+    token
   end
 
   def self.generate_token_value
author	Go MAEDA <maeda@farend.jp>	2021-03-26 05:08:03 +0000
committer	Go MAEDA <maeda@farend.jp>	2021-03-26 05:08:03 +0000
commit	770a31a78ec1c48f9bee7d61b61e1f0d00a60478 (patch)
tree	af175031430d47a9e24bc9a0b2ee6f2f4d5de9e8 /app
parent	184eece3e546aaed7ac0090397f12609b33c3dc8 (diff)
download	redmine-770a31a78ec1c48f9bee7d61b61e1f0d00a60478.tar.gz redmine-770a31a78ec1c48f9bee7d61b61e1f0d00a60478.zip