From ab6329bf4ffaddae9a2996d713e9c3677e2da4b2 Mon Sep 17 00:00:00 2001
From: Eliot Sykes <eliotsykes@gmail.com>
Date: Wed, 26 Aug 2020 11:34:24 +0100
Subject: [PATCH] Resurrect doc explaining HTTP Basic behavior

Bring back comment (mislaid in commit a5b2fff) that explains why HTTP Basic Auth check uses `&`; it is useful for learners and mitigates `&` being accidentally replaced with `&&` one day.
---
 actionpack/lib/action_controller/metal/http_authentication.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index e0ff01e9ec..a9b7eb896c 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -76,6 +76,8 @@ def http_basic_authenticate_with(name:, password:, realm: nil, **options)
 
         def http_basic_authenticate_or_request_with(name:, password:, realm: nil, message: nil)
           authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
+            # This comparison uses & so that it doesn't short circuit and
+            # uses `secure_compare` so that length information isn't leaked.
             ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
               ActiveSupport::SecurityUtils.secure_compare(given_password, password)
           end
-- 
GitLab