Strip invalid UTF-8 bytes in User#find_by_login (#16107).

git-svn-id: http://svn.redmine.org/redmine/trunk@12916 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2014-02-22 12:50:56 +00:00
parent 58ff842d34
commit 8405d57516
2 changed files with 8 additions and 2 deletions

View File

@ -384,8 +384,8 @@ class User < Principal
# Find a user account by matching the exact login and then a case-insensitive # Find a user account by matching the exact login and then a case-insensitive
# version. Exact matches will be given priority. # version. Exact matches will be given priority.
def self.find_by_login(login) def self.find_by_login(login)
login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s)
if login.present? if login.present?
login = login.to_s
# First look for an exact match # First look for an exact match
user = where(:login => login).detect {|u| u.login == login} user = where(:login => login).detect {|u| u.login == login}
unless user unless user

View File

@ -30,7 +30,7 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
def test_api_should_trigger_basic_http_auth_with_basic_authorization_header def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
ApplicationController.any_instance.expects(:authenticate_with_http_basic).once ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
get '/users/current.xml', {}, credentials('admin') get '/users/current.xml', {}, credentials('jsmith')
end end
def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
@ -38,6 +38,12 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar' get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
end end
def test_invalid_utf8_credentials_should_not_trigger_an_error
assert_nothing_raised do
get '/users/current.xml', {}, credentials("\x82", "foo")
end
end
def test_api_request_should_not_use_user_session def test_api_request_should_not_use_user_session
log_user('jsmith', 'jsmith') log_user('jsmith', 'jsmith')