From ff0f341f6f30497a1aa495368ae1bc30ae9bf5eb Mon Sep 17 00:00:00 2001
From: Alexander Dutton <alexander.dutton@it.ox.ac.uk>
Date: Mon, 4 Mar 2013 09:08:11 +0000
Subject: [PATCH] Handle malformed (e.g. empty, single token) Authorization
 headers without 500

---
 oauth2app/authenticate.py |  2 +-
 oauth2app/token.py        | 16 ++++++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/oauth2app/authenticate.py b/oauth2app/authenticate.py
index 0edd2ed..5dc1f35 100644
--- a/oauth2app/authenticate.py
+++ b/oauth2app/authenticate.py
@@ -92,7 +92,7 @@ def validate(self, request):
         *Returns None*"""
         self.request = request
         self.bearer_token = request.REQUEST.get('bearer_token')
-        if "HTTP_AUTHORIZATION" in self.request.META:
+        if self.request.META.get("HTTP_AUTHORIZATION"):
             auth = self.request.META["HTTP_AUTHORIZATION"].split()
             self.auth_type = auth[0].lower()
             self.auth_value = " ".join(auth[1:]).strip()
diff --git a/oauth2app/token.py b/oauth2app/token.py
index f2c2b4a..204c13e 100644
--- a/oauth2app/token.py
+++ b/oauth2app/token.py
@@ -212,13 +212,17 @@ def _validate_access_credentials(self):
         """Validate the request's access credentials."""
         if self.client_secret is None and "HTTP_AUTHORIZATION" in self.request.META:
             authorization = self.request.META["HTTP_AUTHORIZATION"]
-            auth_type, auth_value = authorization.split()[0:2]
-            if auth_type.lower() == "basic":
-                credentials = "%s:%s" % (self.client.key, self.client.secret)
-                if auth_value != b64encode(credentials):
-                    raise InvalidClient('Client authentication failed.')
-            else:
+            try:
+                auth_type, auth_value = authorization.split()[:2]
+            except ValueError: # malformed Authorization header
                 raise InvalidClient('Client authentication failed.')
+            else:
+                if auth_type.lower() == "basic":
+                    credentials = "%s:%s" % (self.client.key, self.client.secret)
+                    if auth_value != b64encode(credentials):
+                        raise InvalidClient('Client authentication failed.')
+                else:
+                    raise InvalidClient('Client authentication failed.')
         elif self.client_secret != self.client.secret:
             raise InvalidClient('Client authentication failed.')