From df40d79fdc376eae307830e1607ea7455e51280f Mon Sep 17 00:00:00 2001
From: Piotr Sarnacki <drogus@gmail.com>
Date: Wed, 11 Jul 2012 01:56:38 +0200
Subject: Don't raise an error if http auth token isn't well formatted

When someone sends malformed authorization header, like:

    Authorization: Token foobar

given token should be just ignored and resource should not be authorized,
instead of raising error. Before this patch controller would return 401 header
only for well formed tokens, like:

    Authorization: Token token=foobar

and would return 500 in former case.
---
 actionpack/lib/action_controller/metal/http_authentication.rb | 10 ++++++----
 actionpack/test/controller/http_token_authentication_test.rb  |  8 ++++++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index a0d1064094..0050ede806 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -436,10 +436,12 @@ module ActionController
           values = Hash[$1.split(',').map do |value|
             value.strip!                      # remove any spaces between commas and values
             key, value = value.split(/\=\"?/) # split key=value pairs
-            value.chomp!('"')                 # chomp trailing " in value
-            value.gsub!(/\\\"/, '"')          # unescape remaining quotes
-            [key, value]
-          end]
+            if value
+              value.chomp!('"')                 # chomp trailing " in value
+              value.gsub!(/\\\"/, '"')          # unescape remaining quotes
+              [key, value]
+            end
+          end.compact]
           [values.delete("token"), values.with_indifferent_access]
         end
       end
diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb
index 3054c1684c..6282ad8a1d 100644
--- a/actionpack/test/controller/http_token_authentication_test.rb
+++ b/actionpack/test/controller/http_token_authentication_test.rb
@@ -79,6 +79,14 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
     end
   end
 
+  test "authentication request with badly formatted header" do
+      @request.env['HTTP_AUTHORIZATION'] = "Token foobar"
+      get :index
+
+      assert_response :unauthorized
+      assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
+  end
+
   test "authentication request without credential" do
     get :display
 
-- 
cgit v1.2.3