diff options
author | tomykaira <tomykaira@gmail.com> | 2013-07-07 22:39:16 +0900 |
---|---|---|
committer | tomykaira <tomykaira@gmail.com> | 2013-07-07 22:39:16 +0900 |
commit | a7a377ff3950078c44049031315b3b9a96c19bcf (patch) | |
tree | 44cb6650f63677877987c4bdd14019742592b191 /actionpack/lib | |
parent | 239126385f75d84e8d62b65879837db0f5ae2f7a (diff) | |
download | rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.gz rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.bz2 rails-a7a377ff3950078c44049031315b3b9a96c19bcf.zip |
Check authentication scheme in Basic auth
`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".
Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.
This fixes #10257.
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 158d552ec7..0e3b0529f7 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -100,7 +100,12 @@ module ActionController end def decode_credentials(request) - ::Base64.decode64(request.authorization.split(' ', 2).last || '') + scheme, param = request.authorization.split(' ', 2) + if scheme == 'Basic' + ::Base64.decode64(param || '') + else + '' + end end def encode_credentials(user_name, password) |