diff --git a/app/models/user.rb b/app/models/user.rb index a31cb46e9..4a33590f7 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -384,8 +384,8 @@ class User < Principal # Find a user account by matching the exact login and then a case-insensitive # version. Exact matches will be given priority. def self.find_by_login(login) + login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s) if login.present? - login = login.to_s # First look for an exact match user = where(:login => login).detect {|u| u.login == login} unless user diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb index 016ab11d2..92f7db684 100644 --- a/test/integration/api_test/authentication_test.rb +++ b/test/integration/api_test/authentication_test.rb @@ -30,7 +30,7 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base def test_api_should_trigger_basic_http_auth_with_basic_authorization_header ApplicationController.any_instance.expects(:authenticate_with_http_basic).once - get '/users/current.xml', {}, credentials('admin') + get '/users/current.xml', {}, credentials('jsmith') end def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header @@ -38,6 +38,12 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar' end + def test_invalid_utf8_credentials_should_not_trigger_an_error + assert_nothing_raised do + get '/users/current.xml', {}, credentials("\x82", "foo") + end + end + def test_api_request_should_not_use_user_session log_user('jsmith', 'jsmith')