diff --git a/app/assets/javascripts/blob/edit_blob.js.coffee b/app/assets/javascripts/blob/edit_blob.js.coffee
index 6914ca759f6..2e91a06daa8 100644
--- a/app/assets/javascripts/blob/edit_blob.js.coffee
+++ b/app/assets/javascripts/blob/edit_blob.js.coffee
@@ -15,7 +15,7 @@ class @EditBlob
     $(".js-commit-button").click ->
       $("#file-content").val editor.getValue()
       $(".file-editor form").submit()
-      return
+      return false
 
     editModePanes = $(".js-edit-mode-pane")
     editModeLinks = $(".js-edit-mode a")
diff --git a/app/assets/javascripts/blob/new_blob.js.coffee b/app/assets/javascripts/blob/new_blob.js.coffee
index a6e27116b40..ab8f98715e8 100644
--- a/app/assets/javascripts/blob/new_blob.js.coffee
+++ b/app/assets/javascripts/blob/new_blob.js.coffee
@@ -15,7 +15,7 @@ class @NewBlob
     $(".js-commit-button").click ->
       $("#file-content").val editor.getValue()
       $(".file-editor form").submit()
-      return
+      return false
 
   editor: ->
     return @editor
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 228a719fbdf..ee678d84c84 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -83,7 +83,10 @@ module API
     end
 
     def authenticate_by_gitlab_shell_token!
-      unauthorized! unless secret_token == params['secret_token'].try(:chomp)
+      input = params['secret_token'].try(:chomp)
+      unless Devise.secure_compare(secret_token, input)
+        unauthorized!
+      end
     end
 
     def authenticated_as_admin!