LXer: Ruby On Rails password protection can be nullified due to flawed code
Published at LXer:
The Ruby on Rails developers have, in their blog, noted a security problem which can allow the circumvention of password protection of pages or content. This is related to the return value from the digest authentication code, authenticate_or_request_with_http_digest. This code should return true if the user is found and false if not. However the documentation was unclear, and it was possible for a developer to return nil from the method. Read More... |
All times are GMT -5. The time now is 05:43 PM. |