Permalink
Browse files

A test to show that http_authentication needs to fail authentication …

…if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
  • Loading branch information...
1 parent 114e25e commit f68cc639f57a9fc261a2e432d1fdd749146d689d nate committed with NZKoz May 26, 2009
View
4 actionpack/lib/action_controller/base/http_authentication.rb
@@ -185,7 +185,7 @@ def authorization(request)
request.env['REDIRECT_X_HTTP_AUTHORIZATION']
end
- # Raises error unless the request credentials response value matches the expected value.
+ # Returns false unless the request credentials response value matches the expected value.
# First try the password as a ha1 digest password. If this fails, then try it as a plain
# text password.
def validate_digest_response(request, realm, &password_procedure)
@@ -194,6 +194,8 @@ def validate_digest_response(request, realm, &password_procedure)
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
password = password_procedure.call(credentials[:username])
+ return false unless password
+
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
[true, false].any? do |password_is_ha1|
View
14 actionpack/test/controller/http_digest_authentication_test.rb
@@ -76,6 +76,15 @@ def authenticate_with_request
assert_equal 'SuperSecret', credentials[:realm]
end
+ test "authentication request with nil credentials" do
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+ get :index
+
+ assert_response :unauthorized
+ assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request"
+ assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request"
+ end
+
test "authentication request with invalid password" do
@request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo')
get :display
@@ -168,6 +177,11 @@ def authenticate_with_request
assert_equal 'Definitely Maybe', @response.body
end
+ test "validate_digest_response should fail with nil returning password_procedure" do
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+ assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil}
+ end
+
private
def encode_credentials(options)

1 comment on commit f68cc63

@alloy

There's also still a test missing for blank credentials instead of `nil' and how about one with multibyte characters? (“café" vs “cafe”.)

Cheers

Please sign in to comment.