From b88cc8aa31ca1f06668700dd0ebe2b54ece8bba1 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Thu, 26 Jul 2012 13:30:15 -0700
Subject: [PATCH] * Do not convert digest auth strings to symbols.
 CVE-2012-3424

---
 actionpack/lib/action_controller/metal/http_authentication.rb |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 76adde9..f0da2cc 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -217,9 +217,9 @@ module ActionController
       end
 
       def decode_credentials(header)
-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
           key, value = pair.split('=', 2)
-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
+          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
         end]
       end
 
-- 
1.7.10.4