Skip to content
Browse files

MD5 Digest auth: fail if authenticator returns nil

Fixes the authenticator API to deny access if nil is returned from the
authenticator block. Without this patch, the nil gets to_s'd to "" and
an empty password would be accepted.

Backported to rack-1.1.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
  • Loading branch information...
1 parent eab4da6 commit 6f98b49894d4dcf0817c790af5e7908166ecff26 @chneukirchen chneukirchen committed Mar 13, 2011
Showing with 8 additions and 1 deletion.
  1. +2 −1 lib/rack/auth/digest/md5.rb
  2. +6 −0 test/spec_rack_auth_digest.rb
View
3 lib/rack/auth/digest/md5.rb
@@ -91,7 +91,8 @@ def valid_nonce?(auth)
end
def valid_digest?(auth)
- digest(auth, @authenticator.call(auth.username)) == auth.response
+ pw = @authenticator.call(auth.username)
+ pw && digest(auth, pw) == auth.response
end
def md5(data)
View
6 test/spec_rack_auth_digest.rb
@@ -151,6 +151,12 @@ def assert_bad_request(response)
end
end
+ specify 'rechallenge if incorrect user and blank password given' do
+ request_with_digest_auth 'GET', '/', 'Bob', '' do |response|
+ assert_digest_auth_challenge response
+ end
+ end
+
specify 'should rechallenge with stale parameter if nonce is stale' do
begin
Rack::Auth::Digest::Nonce.time_limit = 1

0 comments on commit 6f98b49

Please sign in to comment.
Something went wrong with that request. Please try again.