From a7a377ff3950078c44049031315b3b9a96c19bcf Mon Sep 17 00:00:00 2001
From: tomykaira <tomykaira@gmail.com>
Date: Sun, 7 Jul 2013 22:39:16 +0900
Subject: Check authentication scheme in Basic auth

`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".

Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.

This fixes #10257.
---
 actionpack/test/controller/http_basic_authentication_test.rb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'actionpack/test')

diff --git a/actionpack/test/controller/http_basic_authentication_test.rb b/actionpack/test/controller/http_basic_authentication_test.rb
index 90548d4294..9052fc6962 100644
--- a/actionpack/test/controller/http_basic_authentication_test.rb
+++ b/actionpack/test/controller/http_basic_authentication_test.rb
@@ -129,6 +129,13 @@ class HttpBasicAuthenticationTest < ActionController::TestCase
     assert_response :unauthorized
   end
 
+  test "authentication request with wrong scheme" do
+    header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1]
+    @request.env['HTTP_AUTHORIZATION'] = header
+    get :search
+    assert_response :unauthorized
+  end
+
   private
 
   def encode_credentials(username, password)
-- 
cgit v1.2.3