Merge pull request #14212 from tylerhunt/fix-token-regex

Handle tab in token authentication header.

Merge pull request #14212 from tylerhunt/fix-token-regex
Handle tab in token authentication header.
1ad94e76 · Sean Griffin · dc3d3fb0 · d5a0d710 · 1ad94e76 · 1ad94e76
2 changed file
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -397,7 +397,7 @@ def opaque(secret_key)
    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
    module Token
      TOKEN_KEY = 'token='
-      TOKEN_REGEX = /^(Token|Bearer) /
+      TOKEN_REGEX = /^(Token|Bearer)\s+/
      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
      extend self


--- a/actionpack/test/controller/http_token_authentication_test.rb
+++ b/actionpack/test/controller/http_token_authentication_test.rb
@@ -94,6 +94,14 @@ def authenticate_long_credentials
    assert_response :success
  end

+  test "authentication request with tab in header" do
+    @request.env['HTTP_AUTHORIZATION'] = "Token\ttoken=\"lifo\""
+    get :index
+
+    assert_response :success
+    assert_equal 'Hello Secret', @response.body
+  end
+
  test "authentication request without credential" do
    get :display