Fixing issue where changing the case for an action in the url would allow the action in the AuthComponent making it accessible to not-logged in users

lib/Cake/Controller/Component/AuthComponent.php

@@ -268,8 +268,8 @@ class AuthComponent extends Component {
 			return true;
 		}
 
-		$methods = array_flip($controller->methods);
+		$methods = array_flip(array_map('strtolower', $controller->methods));
-		$action = $controller->request->params['action'];
+		$action = strtolower($controller->request->params['action']);
 
 		$isMissingAction = (
 			$controller->scaffold === false &&
@@ -296,7 +296,7 @@ class AuthComponent extends Component {
 		$allowedActions = $this->allowedActions;
 		$isAllowed = (
 			$this->allowedActions == array('*') ||
-			in_array($action, $allowedActions)
+			in_array($action, array_map('strtolower', $allowedActions))
 		);
 
 		if ($loginAction != $url && $isAllowed) {

lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php

@@ -671,6 +671,11 @@ class AuthComponentTest extends CakeTestCase {
 		$this->Controller->request->query['url'] = Router::normalize($url);
 
 		$this->assertFalse($this->Controller->Auth->startup($this->Controller));
+
+		$url = '/auth_test/CamelCase';
+		$this->Controller->request->addParams(Router::parse($url));
+		$this->Controller->request->query['url'] = Router::normalize($url);
+		$this->assertFalse($this->Controller->Auth->startup($this->Controller));
 	}
 
 /**