From 6f98b49894d4dcf0817c790af5e7908166ecff26 Mon Sep 17 00:00:00 2001
From: Christian Neukirchen <chneukirchen@gmail.com>
Date: Sun, 13 Mar 2011 01:25:45 +0100
Subject: MD5 Digest auth: fail if authenticator returns nil

Fixes the authenticator API to deny access if nil is returned from the
authenticator block. Without this patch, the nil gets to_s'd to "" and
an empty password would be accepted.

Backported to rack-1.1.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
---
 lib/rack/auth/digest/md5.rb   | 3 ++-
 test/spec_rack_auth_digest.rb | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/rack/auth/digest/md5.rb b/lib/rack/auth/digest/md5.rb
index e579dc96..d277571c 100644
--- a/lib/rack/auth/digest/md5.rb
+++ b/lib/rack/auth/digest/md5.rb
@@ -91,7 +91,8 @@ module Rack
         end
 
         def valid_digest?(auth)
-          digest(auth, @authenticator.call(auth.username)) == auth.response
+          pw = @authenticator.call(auth.username)
+          pw && digest(auth, pw) == auth.response
         end
 
         def md5(data)
diff --git a/test/spec_rack_auth_digest.rb b/test/spec_rack_auth_digest.rb
index a980acc8..7413aa48 100644
--- a/test/spec_rack_auth_digest.rb
+++ b/test/spec_rack_auth_digest.rb
@@ -151,6 +151,12 @@ context 'Rack::Auth::Digest::MD5' do
     end
   end
 
+  specify 'rechallenge if incorrect user and blank password given' do
+    request_with_digest_auth 'GET', '/', 'Bob', '' do |response|
+      assert_digest_auth_challenge response
+    end
+  end
+
   specify 'should rechallenge with stale parameter if nonce is stale' do
     begin
       Rack::Auth::Digest::Nonce.time_limit = 1
-- 
cgit v1.2.3-24-ge0c7