From 49e92184b0ab616f103c7e93480221e78857e8af Mon Sep 17 00:00:00 2001
From: Donald Parish <donald.parish@buckle.com>
Date: Mon, 2 Feb 2009 15:11:58 -0600
Subject: [PATCH 1/2] Fixed http digest authentication to use credentials URI passed from client

---
 .../lib/action_controller/http_authentication.rb   |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
index 5d915fd..2ccbc22 100644
--- a/actionpack/lib/action_controller/http_authentication.rb
+++ b/actionpack/lib/action_controller/http_authentication.rb
@@ -183,7 +183,7 @@ module ActionController
 
         if valid_nonce && realm == credentials[:realm] && opaque(request.session.session_id) == credentials[:opaque]
           password = password_procedure.call(credentials[:username])
-          expected = expected_response(request.env['REQUEST_METHOD'], request.url, credentials, password)
+          expected = expected_response(request.env['REQUEST_METHOD'], credentials[:uri], credentials, password)
           expected == credentials[:response]
         end
       end
-- 
1.6.1.9.g97c34


From c7906b13e161873fd62dd1743a38070c54c5e680 Mon Sep 17 00:00:00 2001
From: Donald Parish <donald.parish@buckle.com>
Date: Wed, 4 Feb 2009 15:20:51 -0600
Subject: [PATCH 2/2] add test for relative URI

---
 .../controller/http_digest_authentication_test.rb  |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 59f7a40..4913e76 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -107,6 +107,15 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     assert_equal 'Definitely Maybe', @response.body
   end
 
+   test "authentication request with relative URI" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:uri => "/", :username => 'pretty', :password => 'please')
+    get :display
+
+    assert_response :success
+    assert assigns(:logged_in)
+    assert_equal 'Definitely Maybe', @response.body
+  end
+
   private
 
   def encode_credentials(options)
@@ -120,7 +129,7 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
 
     credentials = decode_credentials(@response.headers['WWW-Authenticate'])
     credentials.merge!(options)
-    credentials.merge!(:uri => "http://#{@request.host}#{@request.env['REQUEST_URI']}")
+    credentials.reverse_merge!(:uri => "http://#{@request.host}#{@request.env['REQUEST_URI']}")
     ActionController::HttpAuthentication::Digest.encode_credentials("GET", credentials, password)
   end
 
-- 
1.6.1.9.g97c34