MD5 Digest auth: fail if authenticator returns nil

Fixes the authenticator API to deny access if nil is returned from the authenticator block. Without this patch, the nil gets to_s'd to "" and an empty password would be accepted. Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
rack · Mar 13, 2011 · d38d2d5 · d38d2d5
1 parent e3ffeac
commit d38d2d5
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/rack/auth/digest/md5.rb b/lib/rack/auth/digest/md5.rb
@@ -91,7 +91,8 @@ def valid_nonce?(auth)
         end
 
         def valid_digest?(auth)
-          digest(auth, @authenticator.call(auth.username)) == auth.response
+          pw = @authenticator.call(auth.username)
+          pw && digest(auth, pw) == auth.response
         end
 
         def md5(data)

diff --git a/test/spec_auth_digest.rb b/test/spec_auth_digest.rb
@@ -149,6 +149,12 @@ def assert_bad_request(response)
     end
   end
 
+  should 'rechallenge if incorrect user and blank password given' do
+    request_with_digest_auth 'GET', '/', 'Bob', '' do |response|
+      assert_digest_auth_challenge response
+    end
+  end
+
   should 'rechallenge with stale parameter if nonce is stale' do
     begin
       Rack::Auth::Digest::Nonce.time_limit = 1