From d5a0d71037921320210ab719921c9ba621b98ec2 Mon Sep 17 00:00:00 2001
From: Tyler Hunt <tyler@tylerhunt.com>
Date: Wed, 26 Feb 2014 11:38:34 -0500
Subject: Handle tab in token authentication header.

The HTTP spec allows for LWS to precede the header content, which
could include multiple SP and HT characters. Update the regex used to
match the Token authorization header to account for this, instead of
matching on a single SP.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant
parts of the specification.
---
 actionpack/test/controller/http_token_authentication_test.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'actionpack/test')

diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb
index 86b94652ce..b7d7cf9c6c 100644
--- a/actionpack/test/controller/http_token_authentication_test.rb
+++ b/actionpack/test/controller/http_token_authentication_test.rb
@@ -87,6 +87,14 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
     assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
   end
 
+  test "authentication request with tab in header" do
+    @request.env['HTTP_AUTHORIZATION'] = "Token\ttoken=\"lifo\""
+    get :index
+
+    assert_response :success
+    assert_equal 'Hello Secret', @response.body
+  end
+
   test "authentication request without credential" do
     get :display
 
-- 
cgit v1.2.3