From b88cc8aa31ca1f06668700dd0ebe2b54ece8bba1 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Thu, 26 Jul 2012 13:30:15 -0700 Subject: [PATCH] * Do not convert digest auth strings to symbols. CVE-2012-3424 --- actionpack/lib/action_controller/metal/http_authentication.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 76adde9..f0da2cc 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -217,9 +217,9 @@ module ActionController end def decode_credentials(header) - Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair| + HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair| key, value = pair.split('=', 2) - [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')] + [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')] end] end -- 1.7.11.1