diff options
author | Christian Neukirchen <chneukirchen@gmail.com> | 2011-03-13 01:25:45 +0100 |
---|---|---|
committer | Christian Neukirchen <chneukirchen@gmail.com> | 2011-03-13 14:53:27 +0100 |
commit | 6f98b49894d4dcf0817c790af5e7908166ecff26 (patch) | |
tree | ad4babe1708360967bf1b1d809d8b1e2fd3025c5 | |
parent | eab4da6aab7041949c8f630ec9ed9b045f11ed01 (diff) | |
download | rack-6f98b49894d4dcf0817c790af5e7908166ecff26.tar.gz |
MD5 Digest auth: fail if authenticator returns nil
Fixes the authenticator API to deny access if nil is returned from the authenticator block. Without this patch, the nil gets to_s'd to "" and an empty password would be accepted. Backported to rack-1.1. Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
-rw-r--r-- | lib/rack/auth/digest/md5.rb | 3 | ||||
-rw-r--r-- | test/spec_rack_auth_digest.rb | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/lib/rack/auth/digest/md5.rb b/lib/rack/auth/digest/md5.rb index e579dc96..d277571c 100644 --- a/lib/rack/auth/digest/md5.rb +++ b/lib/rack/auth/digest/md5.rb @@ -91,7 +91,8 @@ module Rack end def valid_digest?(auth) - digest(auth, @authenticator.call(auth.username)) == auth.response + pw = @authenticator.call(auth.username) + pw && digest(auth, pw) == auth.response end def md5(data) diff --git a/test/spec_rack_auth_digest.rb b/test/spec_rack_auth_digest.rb index a980acc8..7413aa48 100644 --- a/test/spec_rack_auth_digest.rb +++ b/test/spec_rack_auth_digest.rb @@ -151,6 +151,12 @@ context 'Rack::Auth::Digest::MD5' do end end + specify 'rechallenge if incorrect user and blank password given' do + request_with_digest_auth 'GET', '/', 'Bob', '' do |response| + assert_digest_auth_challenge response + end + end + specify 'should rechallenge with stale parameter if nonce is stale' do begin Rack::Auth::Digest::Nonce.time_limit = 1 |