Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Digest auth should not 500 when given a basic header. #9022

Merged
merged 1 commit into from

2 participants

@braddunbar

No description provided.

@steveklabnik
Collaborator

This seems good. Can you please amend the commit to include a CHANGELOG entry please?

@braddunbar

Sure thing, CHANGELOG entry added above.

@braddunbar

Ping! @steveklabnik Anything else you need here?

...ck/test/controller/http_digest_authentication_test.rb
@@ -249,6 +249,14 @@ def authenticate_with_request
assert_equal 'Definitely Maybe', @response.body
end
+ test "basic auth header" do
@steveklabnik Collaborator

Can you change this to actually describe the result, too? Maybe "when sent a basic auth header, returns Unauthorized"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@steveklabnik
Collaborator

Also, I need a squash + rebase.

@braddunbar

Done and done. Thanks!

@steveklabnik steveklabnik merged commit 2a5521e into rails:master
@steveklabnik
Collaborator

Thank you! :heart:

@braddunbar braddunbar deleted the braddunbar:digest-basic-auth branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 18, 2013
  1. @braddunbar
This page is out of date. Refresh to see the latest.
View
5 actionpack/CHANGELOG.md
@@ -1,5 +1,10 @@
## Rails 4.0.0 (unreleased) ##
+* Ensure that digest authentication responds with a 401 status when a basic
+ header is received.
+
+ *Brad Dunbar*
+
* Include I18n locale fallbacks in view lookup.
Fixes GH#3512.
View
1  actionpack/lib/action_controller/metal/http_authentication.rb
@@ -299,6 +299,7 @@ def nonce(secret_key, time = Time.now)
# allow a user to use new nonce without prompting user again for their
# username and password.
def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
+ return false if value.nil?
t = ::Base64.decode64(value).split(":").first.to_i
nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
end
View
8 actionpack/test/controller/http_digest_authentication_test.rb
@@ -249,6 +249,14 @@ def authenticate_with_request
assert_equal 'Definitely Maybe', @response.body
end
+ test "when sent a basic auth header, returns Unauthorized" do
+ @request.env['HTTP_AUTHORIZATION'] = 'Basic Gwf2aXq8ZLF3Hxq='
+
+ get :display
+
+ assert_response :unauthorized
+ end
+
private
def encode_credentials(options)
Something went wrong with that request. Please try again.