spec/models/user_spec.rb @@ -32,6 +32,7 @@ class User < ActiveRecord::Base # Authenticates a user by their login name and unencrypted password. Returns the user or nil. def self.authenticate_for(site, login, password) + return nil if site.nil? || login.nil? || login.blank? || password.nil? || password.blank? u = find(:first, @@membership_options.merge( :conditions => ['users.login = ? and (memberships.site_id = ? or users.admin = ?)', login, site.id, true])) u && u.authenticated?(password) ? u : nil @@ -55,6 +56,7 @@ class User < ActiveRecord::Base end def self.find_by_token(site, token) + return nil if site.nil? || token.nil? || token.blank? find(:first, @@membership_options.merge(:conditions => ['token = ? and token_expires_at > ? and (memberships.site_id = ? or users.admin = ?)', token, Time.now.utc, site.id, true])) end app/models/user.rb c500bf8e05c250d02672c30d079a0bdeb66f0569 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 2008-12-20T07:43:45-08:00 2008-12-20T07:43:45-08:00 Security: Attempt to block auth of nil tokens, etc. Some Rails authentication systems have suffered from a vulnerability involving nil or blank login tokens: http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ This patch includes a bunch of test cases testing for possible attacks along these lines, and some sanity-checking code in our authentication methods. Note that the tests and the code don't really "line up" here--most of the test methods passed already, and most of the sanity-checking code is probably unnecessary. But again, better safe than sorry. 3b4e0fdd75748350aff26d604f7f5a7d6a61e552 Eric Kidd git@randomhacks.net