From 1e1f72b2bb2e193f0f54f6a55eefdb5008f85ecd Mon Sep 17 00:00:00 2001
From: Ben Marini <bmarini@gmail.com>
Date: Mon, 31 May 2010 00:06:49 -0700
Subject: [PATCH] Fix parsing bug in `HttpAuthentication::Token`

Base64 encoded values passed in the Authentication header field
are now parsed correctly. Equals signs should be allowed within
quoted strings in the header field.

signature="wOJIO9A2W5mFwDgiDvZbTSMK/PY="
---
 .../action_controller/metal/http_authentication.rb |    8 ++++----
 .../controller/http_token_authentication_test.rb   |    7 +++++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index be7448c..34ea0a2 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -422,10 +422,10 @@ module ActionController
         if header = request.authorization.to_s[/^Token (.*)/]
           values = $1.split(',').
             inject({}) do |memo, value|
-              value.strip!                      # remove any spaces between commas and values
-              key, value = value.split(/\=\"?/) # split key=value pairs
-              value.chomp!('"')                 # chomp trailing " in value
-              value.gsub!(/\\\"/, '"')          # unescape remaining quotes
+              value.strip!                         # remove any spaces between commas and values
+              key, value = value.split(/\=\"?/, 2) # split key=value pairs
+              value.chomp!('"')                    # chomp trailing " in value
+              value.gsub!(/\\\"/, '"')             # unescape remaining quotes
               memo.update(key => value)
             end
           [values.delete("token"), values.with_indifferent_access]
diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb
index 3dfccae..aef228b 100644
--- a/actionpack/test/controller/http_token_authentication_test.rb
+++ b/actionpack/test/controller/http_token_authentication_test.rb
@@ -105,6 +105,13 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
     assert_equal 'Definitely Maybe', @response.body
   end
 
+  test "base64 encoded authorization attributes" do
+    args = [ "vF9dft4qmT", { :signature => "wOJIO9A2W5mFwDgiDvZbTSMK/PY=" } ]
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(*args)
+    token, options = ActionController::HttpAuthentication::Token.token_and_options(@request)
+    assert_equal args[1][:signature], options[:signature]
+  end
+
   private
 
   def encode_credentials(token, options = {})
-- 
1.7.0.6