From 55c929b241298888a14613f7eb48b4f12ee215a4 Mon Sep 17 00:00:00 2001
From: Donald Parish <donald.parish@gmail.com>
Date: Tue, 17 Feb 2009 11:17:57 -0600
Subject: [PATCH 2/3] Digest authentication handles either absolute or relative uri. The request-uri must match the digest-uri.

---
 .../lib/action_controller/http_authentication.rb   |    2 +-
 .../controller/http_digest_authentication_test.rb  |   19 +++++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
index 2ccbc22..6e0a79a 100644
--- a/actionpack/lib/action_controller/http_authentication.rb
+++ b/actionpack/lib/action_controller/http_authentication.rb
@@ -183,7 +183,7 @@ module ActionController
 
         if valid_nonce && realm == credentials[:realm] && opaque(request.session.session_id) == credentials[:opaque]
           password = password_procedure.call(credentials[:username])
-          expected = expected_response(request.env['REQUEST_METHOD'], credentials[:uri], credentials, password)
+          expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password)
           expected == credentials[:response]
         end
       end
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 4913e76..7ce7f44 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -107,8 +107,19 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     assert_equal 'Definitely Maybe', @response.body
   end
 
-   test "authentication request with relative URI" do
-    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:uri => "/", :username => 'pretty', :password => 'please')
+   test "authentication request with request-uri that doesn't match credentials digest-uri" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'please')
+    @request.env['REQUEST_URI'] = "/http_digest_authentication_test/dummy_digest/altered/uri"
+    get :display
+
+    assert_response :unauthorized
+    assert_equal "Authentication Failed", @response.body
+  end
+
+   test "authentication request with absolute uri" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:uri => "http://test.host/http_digest_authentication_test/dummy_digest/display",
+                                                            :username => 'pretty', :password => 'please')
+    @request.env['REQUEST_URI'] = "http://test.host/http_digest_authentication_test/dummy_digest/display"
     get :display
 
     assert_response :success
@@ -122,14 +133,14 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     options.reverse_merge!(:nc => "00000001", :cnonce => "0a4f113b")
     password = options.delete(:password)
 
-    # Perform unautheticated get to retrieve digest parameters to use on subsequent request
+    # Perform unauthenticated GET to retrieve digest parameters to use on subsequent request
     get :index
 
     assert_response :unauthorized
 
     credentials = decode_credentials(@response.headers['WWW-Authenticate'])
     credentials.merge!(options)
-    credentials.reverse_merge!(:uri => "http://#{@request.host}#{@request.env['REQUEST_URI']}")
+    credentials.reverse_merge!(:uri => "#{@request.env['REQUEST_URI']}")
     ActionController::HttpAuthentication::Digest.encode_credentials("GET", credentials, password)
   end
 
-- 
1.6.1.9.g97c34