Skip to content
This repository
Browse code

Digest auth should not 500 when given a basic header.

  • Loading branch information...
commit 95332abe091d0fe8b6b108fffa8208af21a4cca0 1 parent bfdd3c2
brad dunbar braddunbar authored
5 actionpack/CHANGELOG.md
Source Rendered
... ... @@ -1,5 +1,10 @@
1 1 ## Rails 4.0.0 (unreleased) ##
2 2
  3 +* Ensure that digest authentication responds with a 401 status when a basic
  4 + header is received.
  5 +
  6 + *Brad Dunbar*
  7 +
3 8 * Include I18n locale fallbacks in view lookup.
4 9 Fixes GH#3512.
5 10
1  actionpack/lib/action_controller/metal/http_authentication.rb
@@ -299,6 +299,7 @@ def nonce(secret_key, time = Time.now)
299 299 # allow a user to use new nonce without prompting user again for their
300 300 # username and password.
301 301 def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
  302 + return false if value.nil?
302 303 t = ::Base64.decode64(value).split(":").first.to_i
303 304 nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
304 305 end
8 actionpack/test/controller/http_digest_authentication_test.rb
@@ -249,6 +249,14 @@ def authenticate_with_request
249 249 assert_equal 'Definitely Maybe', @response.body
250 250 end
251 251
  252 + test "when sent a basic auth header, returns Unauthorized" do
  253 + @request.env['HTTP_AUTHORIZATION'] = 'Basic Gwf2aXq8ZLF3Hxq='
  254 +
  255 + get :display
  256 +
  257 + assert_response :unauthorized
  258 + end
  259 +
252 260 private
253 261
254 262 def encode_credentials(options)

0 comments on commit 95332ab

Please sign in to comment.
Something went wrong with that request. Please try again.