From 63212e5c1682a03c6a1e2438b99251405d03101f Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 23 Feb 2014 08:20:42 +0000
Subject: [PATCH] Merged r12915 to 12918 (#16107).

git-svn-id: http://svn.redmine.org/redmine/branches/2.5-stable@12923 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb     |  2 +-
 app/models/user.rb                            |  2 +-
 .../api_test/authentication_test.rb           | 23 +++++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b297aa738..43257b2bf 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base
       if (key = api_key_from_request)
         # Use API key
         user = User.find_by_api_key(key)
-      else
+      elsif request.authorization.to_s =~ /\ABasic /i
         # HTTP Basic, either username/password or API key/random
         authenticate_with_http_basic do |username, password|
           user = User.try_to_login(username, password) || User.find_by_api_key(username)
diff --git a/app/models/user.rb b/app/models/user.rb
index a31cb46e9..4a33590f7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -384,8 +384,8 @@ class User < Principal
   # Find a user account by matching the exact login and then a case-insensitive
   # version.  Exact matches will be given priority.
   def self.find_by_login(login)
+    login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s)
     if login.present?
-      login = login.to_s
       # First look for an exact match
       user = where(:login => login).detect {|u| u.login == login}
       unless user
diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb
index 3a6a4d696..16c589d3e 100644
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@@ -28,6 +28,29 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '0'
   end
 
+  def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
+    get '/users/current.xml', {}, credentials('jsmith')
+    assert_response 401
+  end
+
+  def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
+    get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
+    assert_response 401
+  end
+
+  def test_invalid_utf8_credentials_should_not_trigger_an_error
+    invalid_utf8 = "\x82"
+    if invalid_utf8.respond_to?(:force_encoding)
+      invalid_utf8.force_encoding('UTF-8') 
+      assert !invalid_utf8.valid_encoding?
+    end
+    assert_nothing_raised do
+      get '/users/current.xml', {}, credentials(invalid_utf8, "foo")
+    end
+  end
+
   def test_api_request_should_not_use_user_session
     log_user('jsmith', 'jsmith')