Merge pull request #14212 from tylerhunt/fix-token-regex

Handle tab in token authentication header.
2022-11-09 12:12:34 -05:00 · 2015-12-15 10:59:54 -07:00 · 2015-12-15 10:59:54 -07:00 · 1ad94e760d
commit 1ad94e760d
parent dc3d3fb0b9 d5a0d71037
2 changed files with 9 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@ -397,7 +397,7 @@ module ActionController
    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
    module Token
      TOKEN_KEY = 'token='
-      TOKEN_REGEX = /^(Token|Bearer) /
+      TOKEN_REGEX = /^(Token|Bearer)\s+/
      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
      extend self

--- a/actionpack/test/controller/http_token_authentication_test.rb
+++ b/actionpack/test/controller/http_token_authentication_test.rb
@ -94,6 +94,14 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
    assert_response :success
  end

+  test "authentication request with tab in header" do
+    @request.env['HTTP_AUTHORIZATION'] = "Token\ttoken=\"lifo\""
+    get :index
+
+    assert_response :success
+    assert_equal 'Hello Secret', @response.body
+  end
+
  test "authentication request without credential" do
    get :display