Skip to content

Commit

Permalink
Handle malformed (e.g. empty, single token) Authorization headers wit…
Browse files Browse the repository at this point in the history
…hout 500
  • Loading branch information
alexdutton committed Mar 4, 2013
1 parent f8205e2 commit ff0f341
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 7 deletions.
2 changes: 1 addition & 1 deletion oauth2app/authenticate.py
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ def validate(self, request):
*Returns None*"""
self.request = request
self.bearer_token = request.REQUEST.get('bearer_token')
if "HTTP_AUTHORIZATION" in self.request.META:
if self.request.META.get("HTTP_AUTHORIZATION"):
auth = self.request.META["HTTP_AUTHORIZATION"].split()
self.auth_type = auth[0].lower()
self.auth_value = " ".join(auth[1:]).strip()
Expand Down
16 changes: 10 additions & 6 deletions oauth2app/token.py
Original file line number Diff line number Diff line change
Expand Up @@ -212,13 +212,17 @@ def _validate_access_credentials(self):
"""Validate the request's access credentials."""
if self.client_secret is None and "HTTP_AUTHORIZATION" in self.request.META:
authorization = self.request.META["HTTP_AUTHORIZATION"]
auth_type, auth_value = authorization.split()[0:2]
if auth_type.lower() == "basic":
credentials = "%s:%s" % (self.client.key, self.client.secret)
if auth_value != b64encode(credentials):
raise InvalidClient('Client authentication failed.')
else:
try:
auth_type, auth_value = authorization.split()[:2]
except ValueError: # malformed Authorization header
raise InvalidClient('Client authentication failed.')
else:
if auth_type.lower() == "basic":
credentials = "%s:%s" % (self.client.key, self.client.secret)
if auth_value != b64encode(credentials):
raise InvalidClient('Client authentication failed.')
else:
raise InvalidClient('Client authentication failed.')
elif self.client_secret != self.client.secret:
raise InvalidClient('Client authentication failed.')

Expand Down

0 comments on commit ff0f341

Please sign in to comment.