Allow username of 0 in basic authentication.

Refs #3624
cakephp · Jun 3, 2014 · 975e4c3 · 975e4c3
1 parent d1e4dfa
commit 975e4c3
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php
@@ -78,7 +78,7 @@ public function getUser(CakeRequest $request) {
 		$username = env('PHP_AUTH_USER');
 		$pass = env('PHP_AUTH_PW');
 
-		if (empty($username) || empty($pass)) {
+		if (!is_string($username) || $username === '' || !is_string($pass) || $pass === '') {
 			return false;
 		}
 		return $this->_findUser($username, $pass);

diff --git a/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php b/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php
@@ -126,10 +126,35 @@ public function testAuthenticateInjection() {
 		$_SERVER['PHP_AUTH_PW'] = "' OR 1 = 1";
 
 		$this->assertFalse($this->auth->getUser($request));
-
 		$this->assertFalse($this->auth->authenticate($request, $this->response));
 	}
 
+/**
+ * Test that username of 0 works.
+ *
+ * @return void
+ */
+	public function testAuthenticateUsernameZero() {
+		$User = ClassRegistry::init('User');
+		$User->updateAll(array('user' => $User->getDataSource()->value('0')), array('user' => 'mariano'));
+
+		$request = new CakeRequest('posts/index', false);
+		$request->data = array('User' => array(
+			'user' => '0',
+			'password' => 'password'
+		));
+		$_SERVER['PHP_AUTH_USER'] = '0';
+		$_SERVER['PHP_AUTH_PW'] = 'password';
+
+		$expected = array(
+			'id' => 1,
+			'user' => '0',
+			'created' => '2007-03-17 01:16:23',
+			'updated' => '2007-03-17 01:18:31'
+		);
+		$this->assertEquals($expected, $this->auth->authenticate($request, $this->response));
+	}
+
 /**
  * test that challenge headers are sent when no credentials are found.
  *