From 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489 Mon Sep 17 00:00:00 2001
From: nate <nate@inklingmarkets.com>
Date: Tue, 26 May 2009 15:06:09 -0500
Subject: [PATCH] A test to show that http_authentication needs to fail
 authentication if the password procedure returns nil. Also includes a fix to
 validate_digest_response to fail validation if the password procedure returns
 nil.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
---
 .../lib/action_controller/http_authentication.rb   |  4 +++-
 .../controller/http_digest_authentication_test.rb  | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
index eb64525881d22..88c289bcf9973 100644
--- a/actionpack/lib/action_controller/http_authentication.rb
+++ b/actionpack/lib/action_controller/http_authentication.rb
@@ -183,7 +183,7 @@ def authorization(request)
         request.env['REDIRECT_X_HTTP_AUTHORIZATION']
       end
 
-      # Raises error unless the request credentials response value matches the expected value.
+      # Returns false unless the request credentials response value matches the expected value.
       # First try the password as a ha1 digest password. If this fails, then try it as a plain
       # text password.
       def validate_digest_response(request, realm, &password_procedure)
@@ -192,6 +192,8 @@ def validate_digest_response(request, realm, &password_procedure)
 
         if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
           password = password_procedure.call(credentials[:username])
+          return false unless password
+
           method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
 
          [true, false].any? do |password_is_ha1|
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index a725f7cfb4ee6..5cc47ee7f97b2 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -67,6 +67,15 @@ def authenticate_with_request
     assert_equal 'SuperSecret', credentials[:realm]
   end
 
+  test "authentication request with nil credentials" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+    get :index
+
+    assert_response :unauthorized
+    assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request"
+    assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request"
+  end
+
   test "authentication request with invalid password" do
     @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo')
     get :display
@@ -161,6 +170,11 @@ def authenticate_with_request
     assert_equal 'Definitely Maybe', @response.body
   end
 
+  test "validate_digest_response should fail with nil returning password_procedure" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+    assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil}
+  end
+
   private
 
   def encode_credentials(options)