Handle malformed (e.g. empty, single token) Authorization headers wit…

…hout 500
hiidef · Mar 4, 2013 · ff0f341 · ff0f341
1 parent f8205e2
commit ff0f341
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/oauth2app/authenticate.py b/oauth2app/authenticate.py
@@ -92,7 +92,7 @@ def validate(self, request):
         *Returns None*"""
         self.request = request
         self.bearer_token = request.REQUEST.get('bearer_token')
-        if "HTTP_AUTHORIZATION" in self.request.META:
+        if self.request.META.get("HTTP_AUTHORIZATION"):
             auth = self.request.META["HTTP_AUTHORIZATION"].split()
             self.auth_type = auth[0].lower()
             self.auth_value = " ".join(auth[1:]).strip()

diff --git a/oauth2app/token.py b/oauth2app/token.py
@@ -212,13 +212,17 @@ def _validate_access_credentials(self):
         """Validate the request's access credentials."""
         if self.client_secret is None and "HTTP_AUTHORIZATION" in self.request.META:
             authorization = self.request.META["HTTP_AUTHORIZATION"]
-            auth_type, auth_value = authorization.split()[0:2]
-            if auth_type.lower() == "basic":
-                credentials = "%s:%s" % (self.client.key, self.client.secret)
-                if auth_value != b64encode(credentials):
-                    raise InvalidClient('Client authentication failed.')
-            else:
+            try:
+                auth_type, auth_value = authorization.split()[:2]
+            except ValueError: # malformed Authorization header
                 raise InvalidClient('Client authentication failed.')
+            else:
+                if auth_type.lower() == "basic":
+                    credentials = "%s:%s" % (self.client.key, self.client.secret)
+                    if auth_value != b64encode(credentials):
+                        raise InvalidClient('Client authentication failed.')
+                else:
+                    raise InvalidClient('Client authentication failed.')
         elif self.client_secret != self.client.secret:
             raise InvalidClient('Client authentication failed.')