3 files changed, 84 insertions, 23 deletions
diff --git a/actionpack/test/controller/caching_test.rb b/actionpack/test/controller/caching_test.rb
index 9af1ccc740..86dafd9221 100644
--- a/actionpack/test/controller/caching_test.rb
+++ b/actionpack/test/controller/caching_test.rb
@@ -428,6 +428,20 @@ class ActionCacheTest < ActionController::TestCase
     assert_equal 'application/xml', @response.content_type
   end
 
+  def test_correct_content_type_is_returned_for_cache_hit_on_action_with_string_key
+    # run it twice to cache it the first time
+    get :show, :format => 'xml'
+    get :show, :format => 'xml'
+    assert_equal 'application/xml', @response.content_type
+  end
+
+  def test_correct_content_type_is_returned_for_cache_hit_on_action_with_string_key_from_proc
+    # run it twice to cache it the first time
+    get :edit, :id => 1, :format => 'xml'
+    get :edit, :id => 1, :format => 'xml'
+    assert_equal 'application/xml', @response.content_type
+  end
+
   def test_empty_path_is_normalized
     @mock_controller.mock_url_for = 'http://example.org/'
     @mock_controller.mock_path    = '/'
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 4913e7633b..00789eea38 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -5,7 +5,8 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     before_filter :authenticate, :only => :index
     before_filter :authenticate_with_request, :only => :display
 
-    USERS = { 'lifo' => 'world', 'pretty' => 'please' }
+    USERS = { 'lifo' => 'world', 'pretty' => 'please',
+              'dhh' => ::Digest::MD5::hexdigest(["dhh","SuperSecret","secret"].join(":"))}
 
     def index
       render :text => "Hello Secret"
@@ -107,8 +108,42 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     assert_equal 'Definitely Maybe', @response.body
   end
 
-   test "authentication request with relative URI" do
-    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:uri => "/", :username => 'pretty', :password => 'please')
+  test "authentication request with valid credential and nil session" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'please')
+
+    # session_id = "" in functional test, but is +nil+ in real life
+    @request.session.session_id = nil
+    get :display
+
+    assert_response :success
+    assert assigns(:logged_in)
+    assert_equal 'Definitely Maybe', @response.body
+  end
+
+   test "authentication request with request-uri that doesn't match credentials digest-uri" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'please')
+    @request.env['REQUEST_URI'] = "/http_digest_authentication_test/dummy_digest/altered/uri"
+    get :display
+
+    assert_response :unauthorized
+    assert_equal "Authentication Failed", @response.body
+  end
+
+   test "authentication request with absolute uri" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:uri => "http://test.host/http_digest_authentication_test/dummy_digest/display",
+                                                            :username => 'pretty', :password => 'please')
+    @request.env['REQUEST_URI'] = "http://test.host/http_digest_authentication_test/dummy_digest/display"
+    get :display
+
+    assert_response :success
+    assert assigns(:logged_in)
+    assert_equal 'Definitely Maybe', @response.body
+  end
+
+  test "authentication request with password stored as ha1 digest hash" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'dhh',
+                                           :password => ::Digest::MD5::hexdigest(["dhh","SuperSecret","secret"].join(":")),
+                                           :password_is_ha1 => true)
     get :display
 
     assert_response :success
@@ -119,18 +154,22 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
   private
 
   def encode_credentials(options)
-    options.reverse_merge!(:nc => "00000001", :cnonce => "0a4f113b")
+    options.reverse_merge!(:nc => "00000001", :cnonce => "0a4f113b", :password_is_ha1 => false)
     password = options.delete(:password)
 
-    # Perform unautheticated get to retrieve digest parameters to use on subsequent request
+    # Set in /initializers/session_store.rb. Used as secret in generating nonce
+    # to prevent tampering of timestamp
+    ActionController::Base.session_options[:secret] = "session_options_secret"
+
+    # Perform unauthenticated GET to retrieve digest parameters to use on subsequent request
     get :index
 
     assert_response :unauthorized
 
     credentials = decode_credentials(@response.headers['WWW-Authenticate'])
     credentials.merge!(options)
-    credentials.reverse_merge!(:uri => "http://#{@request.host}#{@request.env['REQUEST_URI']}")
-    ActionController::HttpAuthentication::Digest.encode_credentials("GET", credentials, password)
+    credentials.reverse_merge!(:uri => "#{@request.env['REQUEST_URI']}")
+    ActionController::HttpAuthentication::Digest.encode_credentials("GET", credentials, password, options[:password_is_ha1])
   end
 
   def decode_credentials(header)
diff --git a/actionpack/test/controller/session/mem_cache_store_test.rb b/actionpack/test/controller/session/mem_cache_store_test.rb
index c3a6c8ce45..2f80a3c7c2 100644
--- a/actionpack/test/controller/session/mem_cache_store_test.rb
+++ b/actionpack/test/controller/session/mem_cache_store_test.rb
@@ -17,11 +17,14 @@ class MemCacheStoreTest < ActionController::IntegrationTest
     end
 
     def get_session_id
-      render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}"
+      session[:foo]
+      render :text => "#{request.session_options[:id]}"
     end
 
     def call_reset_session
+      session[:bar]
       reset_session
+      session[:bar] = "baz"
       head :ok
     end
 
@@ -58,47 +61,52 @@ class MemCacheStoreTest < ActionController::IntegrationTest
       end
     end
 
-    def test_getting_session_id
+    def test_setting_session_value_after_session_reset
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
         session_id = cookies['_session_id']
 
-        get '/get_session_id'
+        get '/call_reset_session'
         assert_response :success
-        assert_equal "foo: \"bar\"; id: #{session_id}", response.body
-      end
-    end
+        assert_not_equal [], headers['Set-Cookie']
 
-    def test_prevents_session_fixation
-      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
-        session_id = cookies['_session_id']
-
-        reset!
 
-        get '/set_session_value', :_session_id => session_id
+        get '/get_session_id'
         assert_response :success
-        assert_equal nil, cookies['_session_id']
+        assert_not_equal session_id, response.body
       end
     end
 
-    def test_setting_session_value_after_session_reset
+    def test_getting_session_id
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
+        session_id = cookies['_session_id']
 
-        get '/call_reset_session'
+        get '/get_session_id'
         assert_response :success
-        assert_not_equal [], headers['Set-Cookie']
+        assert_equal session_id, response.body
+      end
+    end
 
+    def test_prevents_session_fixation
+      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
+        session_id = cookies['_session_id']
+
+        reset!
+
+        get '/set_session_value', :_session_id => session_id
+        assert_response :success
+        assert_equal nil, cookies['_session_id']
       end
     end
   rescue LoadError, RuntimeError