-
-
Save n8/d5fa1ce8be9dfe0d9d19 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 7f238d71bf1aa00824a87bc1e53f58cbd5f46bb1 Mon Sep 17 00:00:00 2001 | |
From: nate <nate@inklingmarkets.com> | |
Date: Tue, 26 May 2009 15:06:09 -0500 | |
Subject: [PATCH] A test to show that http_authentication needs to fail authentication if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil. | |
--- | |
.../action_controller/base/http_authentication.rb | 4 +++- | |
.../controller/http_digest_authentication_test.rb | 14 ++++++++++++++ | |
2 files changed, 17 insertions(+), 1 deletions(-) | |
diff --git a/actionpack/lib/action_controller/base/http_authentication.rb b/actionpack/lib/action_controller/base/http_authentication.rb | |
index 2893290..724f034 100644 | |
--- a/actionpack/lib/action_controller/base/http_authentication.rb | |
+++ b/actionpack/lib/action_controller/base/http_authentication.rb | |
@@ -185,7 +185,7 @@ module ActionController | |
request.env['REDIRECT_X_HTTP_AUTHORIZATION'] | |
end | |
- # Raises error unless the request credentials response value matches the expected value. | |
+ # Returns false unless the request credentials response value matches the expected value. | |
# First try the password as a ha1 digest password. If this fails, then try it as a plain | |
# text password. | |
def validate_digest_response(request, realm, &password_procedure) | |
@@ -194,6 +194,8 @@ module ActionController | |
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque] | |
password = password_procedure.call(credentials[:username]) | |
+ return false unless password | |
+ | |
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD'] | |
[true, false].any? do |password_is_ha1| | |
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb | |
index 15a1139..9fd849e 100644 | |
--- a/actionpack/test/controller/http_digest_authentication_test.rb | |
+++ b/actionpack/test/controller/http_digest_authentication_test.rb | |
@@ -75,6 +75,15 @@ class HttpDigestAuthenticationTest < ActionController::TestCase | |
credentials = decode_credentials(@response.headers['WWW-Authenticate']) | |
assert_equal 'SuperSecret', credentials[:realm] | |
end | |
+ | |
+ test "authentication request with nil credentials" do | |
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil) | |
+ get :index | |
+ | |
+ assert_response :unauthorized | |
+ assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request" | |
+ assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request" | |
+ end | |
test "authentication request with invalid password" do | |
@request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo') | |
@@ -167,6 +176,11 @@ class HttpDigestAuthenticationTest < ActionController::TestCase | |
assert assigns(:logged_in) | |
assert_equal 'Definitely Maybe', @response.body | |
end | |
+ | |
+ test "validate_digest_response should fail with nil returning password_procedure" do | |
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil) | |
+ assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil} | |
+ end | |
private | |
-- | |
1.6.1.3 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment