* Do not convert digest auth strings to symbols. CVE-2012-3424

Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb

* Do not convert digest auth strings to symbols. CVE-2012-3424
Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb
fee0bc57 · Aaron Patterson · 90c9ae58 · fee0bc57
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

actionpack/lib/action_controller/metal/http_authentication.rb ...onpack/lib/action_controller/metal/http_authentication.rb +2 -2

未找到文件。
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -229,9 +229,9 @@ def decode_credentials_header(request)
      end

      def decode_credentials(header)
-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
          key, value = pair.split('=', 2)
-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').delete('\'')]
+          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
        end]
      end