From a7a377ff3950078c44049031315b3b9a96c19bcf Mon Sep 17 00:00:00 2001 From: tomykaira Date: Sun, 7 Jul 2013 22:39:16 +0900 Subject: Check authentication scheme in Basic auth `authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257. --- actionpack/lib/action_controller/metal/http_authentication.rb | 7 ++++++- actionpack/test/controller/http_basic_authentication_test.rb | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 158d552ec7..0e3b0529f7 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -100,7 +100,12 @@ module ActionController end def decode_credentials(request) - ::Base64.decode64(request.authorization.split(' ', 2).last || '') + scheme, param = request.authorization.split(' ', 2) + if scheme == 'Basic' + ::Base64.decode64(param || '') + else + '' + end end def encode_credentials(user_name, password) diff --git a/actionpack/test/controller/http_basic_authentication_test.rb b/actionpack/test/controller/http_basic_authentication_test.rb index 90548d4294..9052fc6962 100644 --- a/actionpack/test/controller/http_basic_authentication_test.rb +++ b/actionpack/test/controller/http_basic_authentication_test.rb @@ -129,6 +129,13 @@ class HttpBasicAuthenticationTest < ActionController::TestCase assert_response :unauthorized end + test "authentication request with wrong scheme" do + header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1] + @request.env['HTTP_AUTHORIZATION'] = header + get :search + assert_response :unauthorized + end + private def encode_credentials(username, password) -- cgit v1.2.3 From 15a98a88c08a30234ece4ba0bf697f18474c04bf Mon Sep 17 00:00:00 2001 From: tomykaira Date: Mon, 8 Jul 2013 07:00:42 +0900 Subject: Run login_procedure only when the auth_scheme is valid --- .../action_controller/metal/http_authentication.rb | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 0e3b0529f7..e7be751cd8 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -90,22 +90,29 @@ module ActionController end def authenticate(request, &login_procedure) - unless request.authorization.blank? + if has_basic_credentials?(request) login_procedure.call(*user_name_and_password(request)) end end + def has_basic_credentials?(request) + request.authorization.present? && (auth_scheme(request) == 'Basic') + end + def user_name_and_password(request) decode_credentials(request).split(/:/, 2) end def decode_credentials(request) - scheme, param = request.authorization.split(' ', 2) - if scheme == 'Basic' - ::Base64.decode64(param || '') - else - '' - end + ::Base64.decode64(auth_param(request) || '') + end + + def auth_scheme(request) + request.authorization.split(' ', 2).first + end + + def auth_param(request) + request.authorization.split(' ', 2).second end def encode_credentials(user_name, password) -- cgit v1.2.3