Merge pull request #43209 from mpestov/check-basic-auth-credentials

Check basic auth credentials before authenticate
2021-09-20 18:13:14 -04:00 · 2021-09-20 18:13:14 -04:00 · 20db0845cd
commit 20db0845cd
parent a76344ffc5 22e6cb2576
2 changed files with 6 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@ -103,7 +103,7 @@ def authenticate(request, &login_procedure)
      end

      def has_basic_credentials?(request)
-        request.authorization.present? && (auth_scheme(request).downcase == "basic")
+        request.authorization.present? && (auth_scheme(request).downcase == "basic") && user_name_and_password(request).length == 2
      end

      def user_name_and_password(request)
--- a/actionpack/test/controller/http_basic_authentication_test.rb
+++ b/actionpack/test/controller/http_basic_authentication_test.rb
@ -112,6 +112,11 @@ def test_encode_credentials_has_no_newline
    assert_no_match(/\n/, result)
  end

+  test "has_basic_credentials? should fail with credentials without colon" do
+    @request.env["HTTP_AUTHORIZATION"] = "Basic #{::Base64.encode64("David Goliath")}"
+    assert_not ActionController::HttpAuthentication::Basic.has_basic_credentials?(@request)
+  end
+
  test "successful authentication with uppercase authorization scheme" do
    @request.env["HTTP_AUTHORIZATION"] = "BASIC #{::Base64.encode64("lifo:world")}"
    get :index