MD5 Digest auth: fail if authenticator returns nil

Fixes the authenticator API to deny access if nil is returned from the
authenticator block. Without this patch, the nil gets to_s'd to "" and
an empty password would be accepted.

Backported to rack-1.1.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>

2 files changed, 8 insertions, 1 deletions

diff --git a/lib/rack/auth/digest/md5.rb b/lib/rack/auth/digest/md5.rb
index e579dc96..d277571c 100644
--- a/lib/rack/auth/digest/md5.rb
+++ b/lib/rack/auth/digest/md5.rb
@@ -91,7 +91,8 @@ module Rack
         end
 
         def valid_digest?(auth)
-          digest(auth, @authenticator.call(auth.username)) == auth.response
+          pw = @authenticator.call(auth.username)
+          pw && digest(auth, pw) == auth.response
         end
 
         def md5(data)
diff --git a/test/spec_rack_auth_digest.rb b/test/spec_rack_auth_digest.rb
index a980acc8..7413aa48 100644
--- a/test/spec_rack_auth_digest.rb
+++ b/test/spec_rack_auth_digest.rb
@@ -151,6 +151,12 @@ context 'Rack::Auth::Digest::MD5' do
     end
   end
 
+  specify 'rechallenge if incorrect user and blank password given' do
+    request_with_digest_auth 'GET', '/', 'Bob', '' do |response|
+      assert_digest_auth_challenge response
+    end
+  end
+
   specify 'should rechallenge with stale parameter if nonce is stale' do
     begin
       Rack::Auth::Digest::Nonce.time_limit = 1