Check authentication scheme in Basic auth

`authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.
author: tomykaira <tomykaira@gmail.com> 2013-07-07 22:39:16 +0900
committer: tomykaira <tomykaira@gmail.com> 2013-07-07 22:39:16 +0900
commit: a7a377ff3950078c44049031315b3b9a96c19bcf (patch)
tree: 44cb6650f63677877987c4bdd14019742592b191 /actionpack/lib/action_controller/metal
parent: 239126385f75d84e8d62b65879837db0f5ae2f7a (diff)
download: rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.gz
rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.bz2
rails-a7a377ff3950078c44049031315b3b9a96c19bcf.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 158d552ec7..0e3b0529f7 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -100,7 +100,12 @@ module ActionController
       end
 
       def decode_credentials(request)
-        ::Base64.decode64(request.authorization.split(' ', 2).last || '')
+        scheme, param = request.authorization.split(' ', 2)
+        if scheme == 'Basic'
+          ::Base64.decode64(param || '')
+        else
+          ''
+        end
       end
 
       def encode_credentials(user_name, password)
author	tomykaira <tomykaira@gmail.com>	2013-07-07 22:39:16 +0900
committer	tomykaira <tomykaira@gmail.com>	2013-07-07 22:39:16 +0900
commit	a7a377ff3950078c44049031315b3b9a96c19bcf (patch)
tree	44cb6650f63677877987c4bdd14019742592b191 /actionpack/lib/action_controller/metal
parent	239126385f75d84e8d62b65879837db0f5ae2f7a (diff)
download	rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.gz rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.bz2 rails-a7a377ff3950078c44049031315b3b9a96c19bcf.zip