diff options
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 | ||||
-rw-r--r-- | actionpack/test/controller/http_basic_authentication_test.rb | 7 |
2 files changed, 13 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 158d552ec7..0e3b0529f7 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -100,7 +100,12 @@ module ActionController end def decode_credentials(request) - ::Base64.decode64(request.authorization.split(' ', 2).last || '') + scheme, param = request.authorization.split(' ', 2) + if scheme == 'Basic' + ::Base64.decode64(param || '') + else + '' + end end def encode_credentials(user_name, password) diff --git a/actionpack/test/controller/http_basic_authentication_test.rb b/actionpack/test/controller/http_basic_authentication_test.rb index 90548d4294..9052fc6962 100644 --- a/actionpack/test/controller/http_basic_authentication_test.rb +++ b/actionpack/test/controller/http_basic_authentication_test.rb @@ -129,6 +129,13 @@ class HttpBasicAuthenticationTest < ActionController::TestCase assert_response :unauthorized end + test "authentication request with wrong scheme" do + header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1] + @request.env['HTTP_AUTHORIZATION'] = header + get :search + assert_response :unauthorized + end + private def encode_credentials(username, password) |