Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-08 22:36:02 +01:00
Code Issues Packages Projects Releases Activity

Use secure_compare to validate keys (#34950).

Browse Source 
Patch by Holger Just.


git-svn-id: http://svn.redmine.org/redmine/trunk@20854 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Go MAEDA
2021-03-26 05:08:03 +00:00
parent 184eece3e5
commit 770a31a78e
3 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/mail_handler_controller.rb
View File

@@ -18,6 +18,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class MailHandlerController < ActionController::Base class MailHandlerController < ActionController::Base
include ActiveSupport::SecurityUtils
before_action :check_credential before_action :check_credential
# Displays the email submission form # Displays the email submission form
@@ -39,7 +41,7 @@ class MailHandlerController < ActionController::Base
def check_credential def check_credential
User.current = nil User.current = nil
unless Setting.mail_handler_api_enabled? && params[:key].to_s == Setting.mail_handler_api_key unless Setting.mail_handler_api_enabled? && secure_compare(params[:key].to_s, Setting.mail_handler_api_key.to_s)
render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403 render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403
end end
end end

4
app/controllers/sys_controller.rb
View File

@@ -18,6 +18,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class SysController < ActionController::Base class SysController < ActionController::Base
include ActiveSupport::SecurityUtils
before_action :check_enabled before_action :check_enabled
def projects def projects
@@ -76,7 +78,7 @@ class SysController < ActionController::Base
def check_enabled def check_enabled
User.current = nil User.current = nil
unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s)
render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403 render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403
return false return false
end end

10
app/models/token.rb
View File

@@ -116,12 +116,14 @@ class Token < ActiveRecord::Base
return nil unless action.present? && /\A[a-z0-9]+\z/i.match?(key) return nil unless action.present? && /\A[a-z0-9]+\z/i.match?(key)
token = Token.find_by(:action => action, :value => key) token = Token.find_by(:action => action, :value => key)
if token && (token.action == action) && (token.value == key) && token.user return unless token
if validity_days.nil? || (token.created_on > validity_days.days.ago) return unless token.action == action
return unless ActiveSupport::SecurityUtils.secure_compare(token.value.to_s, key)
return unless token.user
return unless validity_days.nil? || (token.created_on > validity_days.days.ago)
token token
end end
end
end
def self.generate_token_value def self.generate_token_value
Redmine::Utils.random_hex(20) Redmine::Utils.random_hex(20)