Browse files

A test to show that http_authentication needs to fail authentication …

…if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
  • Loading branch information...
1 parent 5fb66a3 commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489 nate committed with NZKoz May 26, 2009
View
4 actionpack/lib/action_controller/http_authentication.rb
@@ -183,7 +183,7 @@ def authorization(request)
request.env['REDIRECT_X_HTTP_AUTHORIZATION']
end
- # Raises error unless the request credentials response value matches the expected value.
+ # Returns false unless the request credentials response value matches the expected value.
# First try the password as a ha1 digest password. If this fails, then try it as a plain
# text password.
def validate_digest_response(request, realm, &password_procedure)
@@ -192,6 +192,8 @@ def validate_digest_response(request, realm, &password_procedure)
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
password = password_procedure.call(credentials[:username])
+ return false unless password
+
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
[true, false].any? do |password_is_ha1|
View
14 actionpack/test/controller/http_digest_authentication_test.rb
@@ -67,6 +67,15 @@ def authenticate_with_request
assert_equal 'SuperSecret', credentials[:realm]
end
+ test "authentication request with nil credentials" do
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+ get :index
+
+ assert_response :unauthorized
+ assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request"
+ assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request"
+ end
+
test "authentication request with invalid password" do
@request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo')
get :display
@@ -161,6 +170,11 @@ def authenticate_with_request
assert_equal 'Definitely Maybe', @response.body
end
+ test "validate_digest_response should fail with nil returning password_procedure" do
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+ assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil}
+ end
+
private
def encode_credentials(options)

0 comments on commit 056ddbd

Please sign in to comment.