A test to show that http_authentication needs to fail authentication if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
2022-11-09 12:12:34 -05:00 · 2009-05-26 15:06:09 -05:00 · 2009-05-26 15:06:09 -05:00 · f68cc639f5
commit f68cc639f5
parent 114e25e735
2 changed files with 17 additions and 1 deletions
--- a/actionpack/lib/action_controller/base/http_authentication.rb
+++ b/actionpack/lib/action_controller/base/http_authentication.rb
@ -185,7 +185,7 @@ module ActionController
        request.env['REDIRECT_X_HTTP_AUTHORIZATION']
      end

-      # Raises error unless the request credentials response value matches the expected value.
+      # Returns false unless the request credentials response value matches the expected value.
      # First try the password as a ha1 digest password. If this fails, then try it as a plain
      # text password.
      def validate_digest_response(request, realm, &password_procedure)
@ -194,6 +194,8 @@ module ActionController

        if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
          password = password_procedure.call(credentials[:username])
+          return false unless password
+
          method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']

         [true, false].any? do |password_is_ha1|
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@ -76,6 +76,15 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
    assert_equal 'SuperSecret', credentials[:realm]
  end

+  test "authentication request with nil credentials" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+    get :index
+
+    assert_response :unauthorized
+    assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request"
+    assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request"
+  end
+
  test "authentication request with invalid password" do
    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo')
    get :display
@ -168,6 +177,11 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
    assert_equal 'Definitely Maybe', @response.body
  end

+  test "validate_digest_response should fail with nil returning password_procedure" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+    assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil}
+  end
+
  private

  def encode_credentials(options)