diff options
author | nate <nate@inklingmarkets.com> | 2009-05-26 15:06:09 -0500 |
---|---|---|
committer | Michael Koziarski <michael@koziarski.com> | 2009-06-09 19:47:53 +1200 |
commit | f68cc639f57a9fc261a2e432d1fdd749146d689d (patch) | |
tree | 9f1292940bd191c43073cdfb9aa0f4a757a922ea /actionpack | |
parent | 114e25e7359a76e07114f9914a0fb9baecc67644 (diff) | |
download | rails-f68cc639f57a9fc261a2e432d1fdd749146d689d.tar.gz rails-f68cc639f57a9fc261a2e432d1fdd749146d689d.tar.bz2 rails-f68cc639f57a9fc261a2e432d1fdd749146d689d.zip |
A test to show that http_authentication needs to fail authentication if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/lib/action_controller/base/http_authentication.rb | 4 | ||||
-rw-r--r-- | actionpack/test/controller/http_digest_authentication_test.rb | 14 |
2 files changed, 17 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/base/http_authentication.rb b/actionpack/lib/action_controller/base/http_authentication.rb index 2893290efb..2519f55269 100644 --- a/actionpack/lib/action_controller/base/http_authentication.rb +++ b/actionpack/lib/action_controller/base/http_authentication.rb @@ -185,7 +185,7 @@ module ActionController request.env['REDIRECT_X_HTTP_AUTHORIZATION'] end - # Raises error unless the request credentials response value matches the expected value. + # Returns false unless the request credentials response value matches the expected value. # First try the password as a ha1 digest password. If this fails, then try it as a plain # text password. def validate_digest_response(request, realm, &password_procedure) @@ -194,6 +194,8 @@ module ActionController if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque] password = password_procedure.call(credentials[:username]) + return false unless password + method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD'] [true, false].any? do |password_is_ha1| diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb index 15a11395bb..58f3b88075 100644 --- a/actionpack/test/controller/http_digest_authentication_test.rb +++ b/actionpack/test/controller/http_digest_authentication_test.rb @@ -76,6 +76,15 @@ class HttpDigestAuthenticationTest < ActionController::TestCase assert_equal 'SuperSecret', credentials[:realm] end + test "authentication request with nil credentials" do + @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil) + get :index + + assert_response :unauthorized + assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request" + assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request" + end + test "authentication request with invalid password" do @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo') get :display @@ -168,6 +177,11 @@ class HttpDigestAuthenticationTest < ActionController::TestCase assert_equal 'Definitely Maybe', @response.body end + test "validate_digest_response should fail with nil returning password_procedure" do + @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil) + assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil} + end + private def encode_credentials(options) |