[ryanlol]

>- A timing attack if you're using HTTP basic auth

I'd say that qualifies as pretty bad.

How the hell does that even happen? Using time constant string comparison is authentication 101. That's really not something you can mess up by mistake, it's something you mess up by not understanding what you're doing. And that's is all ignoring the fact that there's no reason to not use hashing here.

[semiquaver]

The vast majority of rails applications do not use HTTP basic authentication, and I would guess that most of the ones that do use nginx or apache to provide it. This was probably not caught until now because hardly anyone uses it.

[ryanlol]

I've seen a bunch of companies use rails HTTP basic auth internally.

And it's not that it wasn't caught until now, it's that it wasn't caught before the commit was accepted.

[eropple]

I expect (though I have not looked) that it's old code that wasn't eyeballed for security so much as for consistency and correctness. Once in, it doesn't leave.

[matthewcford]

I imagine every app on Heroku which uses basic auth is at risk then.

[sarciszewski]

It's literally Rule #1

https://cryptocoding.net/index.php/Coding_rules

[DanWaterworth]

Turns out, deciding how to compare two strings when they may be differing lengths is tricky.