From d5a0d71037921320210ab719921c9ba621b98ec2 Mon Sep 17 00:00:00 2001
From: Tyler Hunt <tyler@tylerhunt.com>
Date: Wed, 26 Feb 2014 11:38:34 -0500
Subject: Handle tab in token authentication header.

The HTTP spec allows for LWS to precede the header content, which
could include multiple SP and HT characters. Update the regex used to
match the Token authorization header to account for this, instead of
matching on a single SP.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant
parts of the specification.
---
 actionpack/lib/action_controller/metal/http_authentication.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/metal/http_authentication.rb')

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 1acc19d74b..affeda8de6 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -385,7 +385,7 @@ module ActionController
     #
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
-      TOKEN_REGEX = /^Token /
+      TOKEN_REGEX = /^Token\s+/
       AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
       extend self
 
-- 
cgit v1.2.3