From 22e6cb257635fd644c8ef1d304ac3e6a2ff9ade5 Mon Sep 17 00:00:00 2001
From: mpestov <mv.pestov@gmail.com>
Date: Sun, 12 Sep 2021 17:01:03 +0300
Subject: [PATCH] Check basic auth credentials contains a colon

---
 .../lib/action_controller/metal/http_authentication.rb       | 2 +-
 actionpack/test/controller/http_basic_authentication_test.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 9db231f5af396..5ecc5d722de9f 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -103,7 +103,7 @@ def authenticate(request, &login_procedure)
       end
 
       def has_basic_credentials?(request)
-        request.authorization.present? && (auth_scheme(request).downcase == "basic")
+        request.authorization.present? && (auth_scheme(request).downcase == "basic") && user_name_and_password(request).length == 2
       end
 
       def user_name_and_password(request)
diff --git a/actionpack/test/controller/http_basic_authentication_test.rb b/actionpack/test/controller/http_basic_authentication_test.rb
index 73524d0443c87..8c81f42a76ab6 100644
--- a/actionpack/test/controller/http_basic_authentication_test.rb
+++ b/actionpack/test/controller/http_basic_authentication_test.rb
@@ -112,6 +112,11 @@ def test_encode_credentials_has_no_newline
     assert_no_match(/\n/, result)
   end
 
+  test "has_basic_credentials? should fail with credentials without colon" do
+    @request.env["HTTP_AUTHORIZATION"] = "Basic #{::Base64.encode64("David Goliath")}"
+    assert_not ActionController::HttpAuthentication::Basic.has_basic_credentials?(@request)
+  end
+
   test "successful authentication with uppercase authorization scheme" do
     @request.env["HTTP_AUTHORIZATION"] = "BASIC #{::Base64.encode64("lifo:world")}"
     get :index