Rails 2.3.3.1

Update to latest Rails.
A little bit of jiggery-pokery is involved, since they
neglected to re-include vendored Rack in this release.

vendor/rails/actionpack/lib/action_controller/http_authentication.rb

@@ -183,7 +183,7 @@ module ActionController
         request.env['REDIRECT_X_HTTP_AUTHORIZATION']
       end
 
-      # Raises error unless the request credentials response value matches the expected value.
+      # Returns false unless the request credentials response value matches the expected value.
       # First try the password as a ha1 digest password. If this fails, then try it as a plain
       # text password.
       def validate_digest_response(request, realm, &password_procedure)
@@ -192,9 +192,12 @@ module ActionController
 
         if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
           password = password_procedure.call(credentials[:username])
+          return false unless password
+
+          method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
 
          [true, false].any? do |password_is_ha1|
-           expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)
+           expected = expected_response(method, request.env['REQUEST_URI'], credentials, password, password_is_ha1)
            expected == credentials[:response]
          end
         end