aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
diff options
context:
space:
mode:
authorPiotr Sarnacki <drogus@gmail.com>2011-12-20 21:01:47 +0100
committerPiotr Sarnacki <drogus@gmail.com>2011-12-21 00:02:58 +0100
commit3131a9379766a735a80220fd2e94cb07791bed9c (patch)
tree28012bddb8658f8b42a60f1a5fdb397773aaf116 /actionpack/lib/action_controller
parent80ab9e2a7434a445eaacb097832fbad24ed01960 (diff)
downloadrails-3131a9379766a735a80220fd2e94cb07791bed9c.tar.gz
rails-3131a9379766a735a80220fd2e94cb07791bed9c.tar.bz2
rails-3131a9379766a735a80220fd2e94cb07791bed9c.zip
Fix http digest authentication with trailing '/' or '?' (fixes #4038 and #3228)
Diffstat (limited to 'actionpack/lib/action_controller')
-rw-r--r--actionpack/lib/action_controller/metal/http_authentication.rb13
1 files changed, 8 insertions, 5 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 264806cd36..56335a22cb 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -192,12 +192,15 @@ module ActionController
return false unless password
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
- uri = credentials[:uri][0,1] == '/' ? request.fullpath : request.url
+ uri = credentials[:uri][0,1] == '/' ? request.original_fullpath : request.original_url
- [true, false].any? do |password_is_ha1|
- expected = expected_response(method, uri, credentials, password, password_is_ha1)
- expected == credentials[:response]
- end
+ [true, false].any? do |trailing_question_mark|
+ [true, false].any? do |password_is_ha1|
+ _uri = trailing_question_mark ? uri + "?" : uri
+ expected = expected_response(method, _uri, credentials, password, password_is_ha1)
+ expected == credentials[:response]
+ end
+ end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 07:24:32 +0000