From a7a377ff3950078c44049031315b3b9a96c19bcf Mon Sep 17 00:00:00 2001
From: tomykaira <tomykaira@gmail.com>
Date: Sun, 7 Jul 2013 22:39:16 +0900
Subject: Check authentication scheme in Basic auth

`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".

Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.

This fixes #10257.
---
 actionpack/lib/action_controller/metal/http_authentication.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 158d552ec7..0e3b0529f7 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -100,7 +100,12 @@ module ActionController
       end
 
       def decode_credentials(request)
-        ::Base64.decode64(request.authorization.split(' ', 2).last || '')
+        scheme, param = request.authorization.split(' ', 2)
+        if scheme == 'Basic'
+          ::Base64.decode64(param || '')
+        else
+          ''
+        end
       end
 
       def encode_credentials(user_name, password)
-- 
cgit v1.2.3