Resurrect doc explaining HTTP Basic behavior

Bring back comment (mislaid in commit a5b2fff6) that explains why HTTP Basic Auth check uses `&`; it is useful for learners and mitigates `&` being accidentally replaced with `&&` one day.

Resurrect doc explaining HTTP Basic behavior
Bring back comment (mislaid in commit a5b2fff6) that explains why HTTP Basic Auth check uses `&`; it is useful for learners and mitigates `&` being accidentally replaced with `&&` one day.
ab6329bf · Eliot Sykes · GitHub · 3ddf6b66 · ab6329bf
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

actionpack/lib/action_controller/metal/http_authentication.rb ...onpack/lib/action_controller/metal/http_authentication.rb +2 -0

未找到文件。
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -76,6 +76,8 @@ def http_basic_authenticate_with(name:, password:, realm: nil, **options)

        def http_basic_authenticate_or_request_with(name:, password:, realm: nil, message: nil)
          authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
+            # This comparison uses & so that it doesn't short circuit and
+            # uses `secure_compare` so that length information isn't leaked.
            ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
              ActiveSupport::SecurityUtils.secure_compare(given_password, password)
          end