From: Jean-Philippe Lang Date: Sun, 23 Feb 2014 08:20:42 +0000 (+0000) Subject: Merged r12915 to 12918 (#16107). X-Git-Tag: 2.5.0~12 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=63212e5c1682a03c6a1e2438b99251405d03101f;p=redmine.git Merged r12915 to 12918 (#16107). git-svn-id: http://svn.redmine.org/redmine/branches/2.5-stable@12923 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b297aa738..43257b2bf 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base if (key = api_key_from_request) # Use API key user = User.find_by_api_key(key) - else + elsif request.authorization.to_s =~ /\ABasic /i # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| user = User.try_to_login(username, password) || User.find_by_api_key(username) diff --git a/app/models/user.rb b/app/models/user.rb index a31cb46e9..4a33590f7 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -384,8 +384,8 @@ class User < Principal # Find a user account by matching the exact login and then a case-insensitive # version. Exact matches will be given priority. def self.find_by_login(login) + login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s) if login.present? - login = login.to_s # First look for an exact match user = where(:login => login).detect {|u| u.login == login} unless user diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb index 3a6a4d696..16c589d3e 100644 --- a/test/integration/api_test/authentication_test.rb +++ b/test/integration/api_test/authentication_test.rb @@ -28,6 +28,29 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base Setting.rest_api_enabled = '0' end + def test_api_should_trigger_basic_http_auth_with_basic_authorization_header + ApplicationController.any_instance.expects(:authenticate_with_http_basic).once + get '/users/current.xml', {}, credentials('jsmith') + assert_response 401 + end + + def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header + ApplicationController.any_instance.expects(:authenticate_with_http_basic).never + get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar' + assert_response 401 + end + + def test_invalid_utf8_credentials_should_not_trigger_an_error + invalid_utf8 = "\x82" + if invalid_utf8.respond_to?(:force_encoding) + invalid_utf8.force_encoding('UTF-8') + assert !invalid_utf8.valid_encoding? + end + assert_nothing_raised do + get '/users/current.xml', {}, credentials(invalid_utf8, "foo") + end + end + def test_api_request_should_not_use_user_session log_user('jsmith', 'jsmith')