diff options
author | Tyler Hunt <tyler@tylerhunt.com> | 2014-02-26 11:38:34 -0500 |
---|---|---|
committer | Tyler Hunt <tyler@tylerhunt.com> | 2014-02-26 11:38:34 -0500 |
commit | d5a0d71037921320210ab719921c9ba621b98ec2 (patch) | |
tree | a67f41302070acdcc04a33f6419d839d6c361efb /actionpack/test | |
parent | 671e997e5a71fbe0ba44d589b34c48b6c6502323 (diff) | |
download | rails-d5a0d71037921320210ab719921c9ba621b98ec2.tar.gz rails-d5a0d71037921320210ab719921c9ba621b98ec2.tar.bz2 rails-d5a0d71037921320210ab719921c9ba621b98ec2.zip |
Handle tab in token authentication header.
The HTTP spec allows for LWS to precede the header content, which
could include multiple SP and HT characters. Update the regex used to
match the Token authorization header to account for this, instead of
matching on a single SP.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant
parts of the specification.
Diffstat (limited to 'actionpack/test')
-rw-r--r-- | actionpack/test/controller/http_token_authentication_test.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb index 86b94652ce..b7d7cf9c6c 100644 --- a/actionpack/test/controller/http_token_authentication_test.rb +++ b/actionpack/test/controller/http_token_authentication_test.rb @@ -87,6 +87,14 @@ class HttpTokenAuthenticationTest < ActionController::TestCase assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" end + test "authentication request with tab in header" do + @request.env['HTTP_AUTHORIZATION'] = "Token\ttoken=\"lifo\"" + get :index + + assert_response :success + assert_equal 'Hello Secret', @response.body + end + test "authentication request without credential" do get :display |