Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
From 7f238d71bf1aa00824a87bc1e53f58cbd5f46bb1 Mon Sep 17 00:00:00 2001
From: nate <nate@inklingmarkets.com>
Date: Tue, 26 May 2009 15:06:09 -0500
Subject: [PATCH] A test to show that http_authentication needs to fail authentication if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil.
---
.../action_controller/base/http_authentication.rb | 4 +++-
.../controller/http_digest_authentication_test.rb | 14 ++++++++++++++
2 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/actionpack/lib/action_controller/base/http_authentication.rb b/actionpack/lib/action_controller/base/http_authentication.rb
index 2893290..724f034 100644
--- a/actionpack/lib/action_controller/base/http_authentication.rb
+++ b/actionpack/lib/action_controller/base/http_authentication.rb
@@ -185,7 +185,7 @@ module ActionController
request.env['REDIRECT_X_HTTP_AUTHORIZATION']
end
- # Raises error unless the request credentials response value matches the expected value.
+ # Returns false unless the request credentials response value matches the expected value.
# First try the password as a ha1 digest password. If this fails, then try it as a plain
# text password.
def validate_digest_response(request, realm, &password_procedure)
@@ -194,6 +194,8 @@ module ActionController
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
password = password_procedure.call(credentials[:username])
+ return false unless password
+
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
[true, false].any? do |password_is_ha1|
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 15a1139..9fd849e 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -75,6 +75,15 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
credentials = decode_credentials(@response.headers['WWW-Authenticate'])
assert_equal 'SuperSecret', credentials[:realm]
end
+
+ test "authentication request with nil credentials" do
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+ get :index
+
+ assert_response :unauthorized
+ assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request"
+ assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request"
+ end
test "authentication request with invalid password" do
@request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo')
@@ -167,6 +176,11 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
assert assigns(:logged_in)
assert_equal 'Definitely Maybe', @response.body
end
+
+ test "validate_digest_response should fail with nil returning password_procedure" do
+ @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+ assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil}
+ end
private
--
1.6.1.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment