Check authentication scheme in Basic auth

`authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.

Check authentication scheme in Basic auth
`authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.
a7a377ff · tomykaira · 23912638 · a7a377ff · a7a377ff
2 changed file
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -100,7 +100,12 @@ def user_name_and_password(request)
      end

      def decode_credentials(request)
-        ::Base64.decode64(request.authorization.split(' ', 2).last || '')
+        scheme, param = request.authorization.split(' ', 2)
+        if scheme == 'Basic'
+          ::Base64.decode64(param || '')
+        else
+          ''
+        end
      end

      def encode_credentials(user_name, password)

--- a/actionpack/test/controller/http_basic_authentication_test.rb
+++ b/actionpack/test/controller/http_basic_authentication_test.rb
@@ -129,6 +129,13 @@ def test_encode_credentials_has_no_newline
    assert_response :unauthorized
  end

+  test "authentication request with wrong scheme" do
+    header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1]
+    @request.env['HTTP_AUTHORIZATION'] = header
+    get :search
+    assert_response :unauthorized
+  end
+
  private

  def encode_credentials(username, password)