Merge branch 'master' into fix-restricted-visibility

Conflicts: db/schema.rb
author: Vinnie Okada <vokada@mrvinn.com> 2015-03-14 10:49:11 -0600
committer: Vinnie Okada <vokada@mrvinn.com> 2015-03-14 10:49:11 -0600
commit: ad0ca0499ac81c68e9e8011d2e194b16c759c1d6 (patch)
tree: b3a39a2ef6cc4cfbdeab37fff87ed66dd4dcf9dc /lib/api/helpers.rb
parent: 13e9f4f33420bf0bae0b61b98dd3c2301d6f6223 (diff)
parent: 19e0dafbef47ca04f19d38b72b817beeb09e8510 (diff)
download: gitlab-ce-ad0ca0499ac81c68e9e8011d2e194b16c759c1d6.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index f46dc8b456e..a6e77002a01 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -83,7 +83,10 @@ module API
     end
 
     def authenticate_by_gitlab_shell_token!
-      unauthorized! unless secret_token == params['secret_token'].try(:chomp)
+      input = params['secret_token'].try(:chomp)
+      unless Devise.secure_compare(secret_token, input)
+        unauthorized!
+      end
     end
 
     def authenticated_as_admin!
author	Vinnie Okada <vokada@mrvinn.com>	2015-03-14 10:49:11 -0600
committer	Vinnie Okada <vokada@mrvinn.com>	2015-03-14 10:49:11 -0600
commit	ad0ca0499ac81c68e9e8011d2e194b16c759c1d6 (patch)
tree	b3a39a2ef6cc4cfbdeab37fff87ed66dd4dcf9dc /lib/api/helpers.rb
parent	13e9f4f33420bf0bae0b61b98dd3c2301d6f6223 (diff)
parent	19e0dafbef47ca04f19d38b72b817beeb09e8510 (diff)
download	gitlab-ce-ad0ca0499ac81c68e9e8011d2e194b16c759c1d6.tar.gz