Merged r12915 to 12918 (#16107).

git-svn-id: http://svn.redmine.org/redmine/branches/2.5-stable@12923 e93f8b46-1217-0410-a6f0-8f06a7374b81
2014-02-23 08:20:42 +00:00 · 2014-02-23 08:20:42 +00:00 · 63212e5c16
parent 88b3872179
commit 63212e5c16
3 changed files with 25 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base
      if (key = api_key_from_request)
        # Use API key
        user = User.find_by_api_key(key)
-      else
+      elsif request.authorization.to_s =~ /\ABasic /i
        # HTTP Basic, either username/password or API key/random
        authenticate_with_http_basic do |username, password|
          user = User.try_to_login(username, password) || User.find_by_api_key(username)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -384,8 +384,8 @@ class User < Principal
  # Find a user account by matching the exact login and then a case-insensitive
  # version.  Exact matches will be given priority.
  def self.find_by_login(login)
+    login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s)
    if login.present?
-      login = login.to_s
      # First look for an exact match
      user = where(:login => login).detect {|u| u.login == login}
      unless user
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@ -28,6 +28,29 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
    Setting.rest_api_enabled = '0'
  end

+  def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
+    get '/users/current.xml', {}, credentials('jsmith')
+    assert_response 401
+  end
+
+  def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
+    get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
+    assert_response 401
+  end
+
+  def test_invalid_utf8_credentials_should_not_trigger_an_error
+    invalid_utf8 = "\x82"
+    if invalid_utf8.respond_to?(:force_encoding)
+      invalid_utf8.force_encoding('UTF-8') 
+      assert !invalid_utf8.valid_encoding?
+    end
+    assert_nothing_raised do
+      get '/users/current.xml', {}, credentials(invalid_utf8, "foo")
+    end
+  end
+
  def test_api_request_should_not_use_user_session
    log_user('jsmith', 'jsmith')