diff options
author | James Lopez <james@jameslopez.es> | 2016-03-02 12:18:43 +0100 |
---|---|---|
committer | James Lopez <james@jameslopez.es> | 2016-03-02 12:18:43 +0100 |
commit | 70623cd423b0c7e26e56422bf25c413d9921ee88 (patch) | |
tree | f977ca35d156db2d7a75fce165dd704f59818edb /app/models/project.rb | |
parent | 8cba0612e16268ea12904e40ce7dad293998a875 (diff) | |
download | gitlab-ce-70623cd423b0c7e26e56422bf25c413d9921ee88.tar.gz |
fix token issue - timing attack
Diffstat (limited to 'app/models/project.rb')
-rw-r--r-- | app/models/project.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index 6f5d592755a..6c9377448e2 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -889,13 +889,13 @@ class Project < ActiveRecord::Base end def valid_runners_token? token - self.runners_token && self.runners_token == token + self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token) end # TODO (ayufan): For now we use runners_token (backward compatibility) # In 8.4 every build will have its own individual token valid for time of build def valid_build_token? token - self.builds_enabled? && self.runners_token && self.runners_token == token + self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token) end def build_coverage_enabled? |