Fixing case where it was possible to pass array data to FormAuthenticate

fields

lib/Cake/Controller/Component/Auth/FormAuthenticate.php

@@ -49,11 +49,11 @@ class FormAuthenticate extends BaseAuthenticate {
 		if (empty($request->data[$model])) {
 			return false;
 		}
-		if (
-			empty($request->data[$model][$fields['username']]) ||
-			empty($request->data[$model][$fields['password']])
-		) {
-			return false;
+		foreach (array($fields['username'], $fields['password']) as $field) {
+			$value = $request->data($model . '.' . $field);
+			if (empty($value) || !is_string($value)) {
+				return false;
+			}
 		}
 		return true;
 	}

lib/Cake/Test/Case/Controller/Component/Auth/FormAuthenticateTest.php

@@ -116,6 +116,28 @@ class FormAuthenticateTest extends CakeTestCase {
 	}
 
 /**
+ * test authenticate field is not string
+ *
+ * @return void
+ */
+	public function testAuthenticateFieldsAreNotString() {
+		$request = new CakeRequest('posts/index', false);
+		$request->data = array(
+			'User' => array(
+				'user' => array('mariano', 'phpnut'),
+				'password' => 'my password'
+		));
+		$this->assertFalse($this->auth->authenticate($request, $this->response));
+
+		$request->data = array(
+			'User' => array(
+				'user' => 'mariano',
+				'password' => array('password1', 'password2')
+		));
+		$this->assertFalse($this->auth->authenticate($request, $this->response));
+	}
+
+/**
  * test the authenticate method
  *
  * @return void