diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index e74662ffb..ce6a451df 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -78,7 +78,7 @@ class BasicAuthenticate extends BaseAuthenticate { $username = env('PHP_AUTH_USER'); $pass = env('PHP_AUTH_PW'); - if (empty($username) || empty($pass)) { + if (!is_string($username) || $username === '' || !is_string($pass) || $pass === '') { return false; } return $this->_findUser($username, $pass); diff --git a/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php b/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php index 0e0e8bf02..cd337cf08 100644 --- a/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php +++ b/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php @@ -126,10 +126,35 @@ class BasicAuthenticateTest extends CakeTestCase { $_SERVER['PHP_AUTH_PW'] = "' OR 1 = 1"; $this->assertFalse($this->auth->getUser($request)); - $this->assertFalse($this->auth->authenticate($request, $this->response)); } +/** + * Test that username of 0 works. + * + * @return void + */ + public function testAuthenticateUsernameZero() { + $User = ClassRegistry::init('User'); + $User->updateAll(array('user' => $User->getDataSource()->value('0')), array('user' => 'mariano')); + + $request = new CakeRequest('posts/index', false); + $request->data = array('User' => array( + 'user' => '0', + 'password' => 'password' + )); + $_SERVER['PHP_AUTH_USER'] = '0'; + $_SERVER['PHP_AUTH_PW'] = 'password'; + + $expected = array( + 'id' => 1, + 'user' => '0', + 'created' => '2007-03-17 01:16:23', + 'updated' => '2007-03-17 01:18:31' + ); + $this->assertEquals($expected, $this->auth->authenticate($request, $this->response)); + } + /** * test that challenge headers are sent when no credentials are found. *