FIX MAJOR VULNERABILITY IN BASIC AUTH

harrystech / cronut

[DEPRECATED] A dead man's switch server implementation in Rails. (We @harrystech have moved to a full-featured "job monitoring as a service" vendors and have retired Cronut.)

24 stars 6 forks source link

FIX MAJOR VULNERABILITY IN BASIC AUTH #16

Closed werkshy closed 9 years ago

werkshy commented 9 years ago

As responsibly disclosed by @geoffharcourt the HTTP basic auth in Cronut is trivially defeated by entering empty credentials. This PR fixes that, and additionally corrects a bug where ping requests were being subject to IP whiltelisting functionality.

Fixes #15 .

pjambet commented 9 years ago

:+1: Thanks @geoffharcourt !

geoffharcourt commented 9 years ago

Cronut is awesome. Thanks for getting this in so fast.