Commit 8d9823ab authored by Robert Schilling's avatar Robert Schilling

Merge pull request #8928 from Mic92/master

use constant-time string compare for internal api authentication
parents 3cf4359b 9f089ac4
...@@ -83,7 +83,10 @@ module API ...@@ -83,7 +83,10 @@ module API
end end
def authenticate_by_gitlab_shell_token! def authenticate_by_gitlab_shell_token!
unauthorized! unless secret_token == params['secret_token'].try(:chomp) input = params['secret_token'].try(:chomp)
unless Devise.secure_compare(secret_token, input)
unauthorized!
end
end end
def authenticated_as_admin! def authenticated_as_admin!
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment