• Kerri Miller's avatar
    Avoid #authenticate_user! in #route_not_found · 00b3e372
    Kerri Miller authored
    This method, #route_not_found, is executed as the final fallback for
    unrecognized routes (as the name might imply.) We want to avoid
    `#authenticate_user!` when calling `#route_not_found`;
    `#authenticate_user!` can, depending on the request format, return a 401
    instead of redirecting to a login page. This opens a subtle security
    exploit where anonymous users will receive a 401 response when
    attempting to access a private repo, while a recognized user will
    receive a 404, exposing the existence of the private, hidden repo.
    00b3e372
29986-remove-leaky-401-responses.yml 98 Bytes