Permalink
Browse files

Fix HTTP basic authentication for long credentials [#2572 state:resol…

…ved]

Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
  • Loading branch information...
1 parent d39c456 commit 389449d9aef3f32842a2022130e5be552b039124 Jan Schwenzien committed with lifo Aug 9, 2009
@@ -139,7 +139,7 @@ def authorization(request)
end
def decode_credentials(request)
- ActiveSupport::Base64.decode64(authorization(request).split.last || '')
+ ActiveSupport::Base64.decode64(authorization(request).split(' ', 2).last || '')
end
def encode_credentials(user_name, password)
@@ -4,6 +4,7 @@ class HttpBasicAuthenticationTest < ActionController::TestCase
class DummyController < ActionController::Base
before_filter :authenticate, :only => :index
before_filter :authenticate_with_request, :only => :display
+ before_filter :authenticate_long_credentials, :only => :show
def index
render :text => "Hello Secret"
@@ -12,6 +13,10 @@ def index
def display
render :text => 'Definitely Maybe'
end
+
+ def show
+ render :text => 'Only for loooooong credentials'
+ end
private
@@ -28,6 +33,12 @@ def authenticate_with_request
request_http_basic_authentication("SuperSecret")
end
end
+
+ def authenticate_long_credentials
+ authenticate_or_request_with_http_basic do |username, password|
+ username == '1234567890123456789012345678901234567890' && password == '1234567890123456789012345678901234567890'
+ end
+ end
end
AUTH_HEADERS = ['HTTP_AUTHORIZATION', 'X-HTTP_AUTHORIZATION', 'X_HTTP_AUTHORIZATION', 'REDIRECT_X_HTTP_AUTHORIZATION']
@@ -42,6 +53,13 @@ def authenticate_with_request
assert_response :success
assert_equal 'Hello Secret', @response.body, "Authentication failed for request header #{header}"
end
+ test "successful authentication with #{header.downcase} and long credentials" do
+ @request.env[header] = encode_credentials('1234567890123456789012345678901234567890', '1234567890123456789012345678901234567890')
+ get :show
+
+ assert_response :success
+ assert_equal 'Only for loooooong credentials', @response.body, "Authentication failed for request header #{header} and long credentials"
+ end
end
AUTH_HEADERS.each do |header|
@@ -52,6 +70,13 @@ def authenticate_with_request
assert_response :unauthorized
assert_equal "HTTP Basic: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header}"
end
+ test "unsuccessful authentication with #{header.downcase} and long credentials" do
+ @request.env[header] = encode_credentials('h4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0r', 'worldworldworldworldworldworldworldworld')
+ get :show
+
+ assert_response :unauthorized
+ assert_equal "HTTP Basic: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header} and long credentials"
+ end
end
test "authentication request without credential" do

0 comments on commit 389449d

Please sign in to comment.