From 95332abe091d0fe8b6b108fffa8208af21a4cca0 Mon Sep 17 00:00:00 2001
From: Brad Dunbar <dunbarb2@gmail.com>
Date: Mon, 21 Jan 2013 15:31:34 -0500
Subject: Digest auth should not 500 when given a basic header.

---
 actionpack/CHANGELOG.md                                       | 5 +++++
 actionpack/lib/action_controller/metal/http_authentication.rb | 1 +
 actionpack/test/controller/http_digest_authentication_test.rb | 8 ++++++++
 3 files changed, 14 insertions(+)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 69096443fe..97bd2bf97f 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,10 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Ensure that digest authentication responds with a 401 status when a basic
+    header is received.
+
+    *Brad Dunbar*
+
 *   Include I18n locale fallbacks in view lookup.
     Fixes GH#3512.
 
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index e295002b16..c7bb2dd147 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -299,6 +299,7 @@ module ActionController
       # allow a user to use new nonce without prompting user again for their
       # username and password.
       def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
+        return false if value.nil?
         t = ::Base64.decode64(value).split(":").first.to_i
         nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
       end
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 537de7a2dd..4287856550 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -249,6 +249,14 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     assert_equal 'Definitely Maybe', @response.body
   end
 
+  test "when sent a basic auth header, returns Unauthorized" do
+    @request.env['HTTP_AUTHORIZATION'] = 'Basic Gwf2aXq8ZLF3Hxq='
+
+    get :display
+
+    assert_response :unauthorized
+  end
+
   private
 
   def encode_credentials(options)
-- 
cgit v1.2.3