misc: ignore invalid HTTP basic authentication header (#46835)

2020-09-21 15:10:23 +02:00 · 2020-09-21 15:10:23 +02:00 · af5cf63d95
parent 84f9a33df2
commit af5cf63d95
2 changed files with 14 additions and 1 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -3193,3 +3193,9 @@ def test_cards(pub, local_user):
    assert resp.json['data'][0]['fields']['foo'] == 'blah'
    assert resp.json['data'][0]['digest'] == formdata.digest
    assert resp.json['data'][0]['text'] == formdata.digest
+
+
+def test_api_invalid_http_basic_auth(pub, local_user, admin_user, ics_data):
+    app = get_app(pub)
+    app.get('/api/forms/test/ics/foobar?email=%s' % local_user.email,
+            headers={'Authorization': 'Basic garbage'}, status=401)
--- a/wcs/qommon/http_request.py
+++ b/wcs/qommon/http_request.py
@ -53,7 +53,14 @@ class HTTPRequest(quixote.http_request.HTTPRequest):
        auth_header = self.get_header('Authorization', '')
        if auth_header.startswith('Basic '):
            auth_header = auth_header.split(' ', 1)[1]
-            username, password = force_text(base64.decodestring(force_bytes(auth_header))).split(':', 1)
+            try:
+                username, password = force_text(base64.decodestring(force_bytes(auth_header))).split(':', 1)
+            except (UnicodeDecodeError, ValueError):
+                # ValueError will catch both missing ":" (not enough values to
+                # unpack (expected 2, got 1)) and binascii.Error (incorrect
+                # padding or invalid base64-encoded string).
+                self._user = None
+                return
            from .ident.password_accounts import PasswordAccount
            try:
                self._user = PasswordAccount.get_with_credentials(username, password)