diff options
author | tomykaira <tomykaira@gmail.com> | 2013-07-07 22:39:16 +0900 |
---|---|---|
committer | tomykaira <tomykaira@gmail.com> | 2013-07-07 22:39:16 +0900 |
commit | a7a377ff3950078c44049031315b3b9a96c19bcf (patch) | |
tree | 44cb6650f63677877987c4bdd14019742592b191 /actionpack/test/controller | |
parent | 239126385f75d84e8d62b65879837db0f5ae2f7a (diff) | |
download | rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.gz rails-a7a377ff3950078c44049031315b3b9a96c19bcf.tar.bz2 rails-a7a377ff3950078c44049031315b3b9a96c19bcf.zip |
Check authentication scheme in Basic auth
`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".
Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.
This fixes #10257.
Diffstat (limited to 'actionpack/test/controller')
-rw-r--r-- | actionpack/test/controller/http_basic_authentication_test.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/actionpack/test/controller/http_basic_authentication_test.rb b/actionpack/test/controller/http_basic_authentication_test.rb index 90548d4294..9052fc6962 100644 --- a/actionpack/test/controller/http_basic_authentication_test.rb +++ b/actionpack/test/controller/http_basic_authentication_test.rb @@ -129,6 +129,13 @@ class HttpBasicAuthenticationTest < ActionController::TestCase assert_response :unauthorized end + test "authentication request with wrong scheme" do + header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1] + @request.env['HTTP_AUTHORIZATION'] = header + get :search + assert_response :unauthorized + end + private def encode_credentials(username, password) |