Check authentication scheme in Basic auth

`authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.
2022-11-09 12:12:34 -05:00 · 2013-07-07 22:39:16 +09:00 · 2013-07-07 22:39:16 +09:00 · a7a377ff39
commit a7a377ff39
parent 239126385f
2 changed files with 13 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@ -100,7 +100,12 @@ module ActionController
      end

      def decode_credentials(request)
-        ::Base64.decode64(request.authorization.split(' ', 2).last || '')
+        scheme, param = request.authorization.split(' ', 2)
+        if scheme == 'Basic'
+          ::Base64.decode64(param || '')
+        else
+          ''
+        end
      end

      def encode_credentials(user_name, password)
--- a/actionpack/test/controller/http_basic_authentication_test.rb
+++ b/actionpack/test/controller/http_basic_authentication_test.rb
@ -129,6 +129,13 @@ class HttpBasicAuthenticationTest < ActionController::TestCase
    assert_response :unauthorized
  end

+  test "authentication request with wrong scheme" do
+    header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1]
+    @request.env['HTTP_AUTHORIZATION'] = header
+    get :search
+    assert_response :unauthorized
+  end
+
  private

  def encode_credentials(username, password)