Digest auth should not 500 when given a basic header.
This commit is contained in:
parent
bfdd3c2182
commit
95332abe09
|
@ -1,5 +1,10 @@
|
|||
## Rails 4.0.0 (unreleased) ##
|
||||
|
||||
* Ensure that digest authentication responds with a 401 status when a basic
|
||||
header is received.
|
||||
|
||||
*Brad Dunbar*
|
||||
|
||||
* Include I18n locale fallbacks in view lookup.
|
||||
Fixes GH#3512.
|
||||
|
||||
|
|
|
@ -299,6 +299,7 @@ module ActionController
|
|||
# allow a user to use new nonce without prompting user again for their
|
||||
# username and password.
|
||||
def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
|
||||
return false if value.nil?
|
||||
t = ::Base64.decode64(value).split(":").first.to_i
|
||||
nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
|
||||
end
|
||||
|
|
|
@ -249,6 +249,14 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
|
|||
assert_equal 'Definitely Maybe', @response.body
|
||||
end
|
||||
|
||||
test "when sent a basic auth header, returns Unauthorized" do
|
||||
@request.env['HTTP_AUTHORIZATION'] = 'Basic Gwf2aXq8ZLF3Hxq='
|
||||
|
||||
get :display
|
||||
|
||||
assert_response :unauthorized
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def encode_credentials(options)
|
||||
|
|
Loading…
Reference in New Issue