Skip to content

Handle malformed Authorization headers without a 500. #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alexdutton wants to merge 41 commits into
base: develop
Choose a base branch
from
Open

Handle malformed Authorization headers without a 500. #41

alexdutton wants to merge 41 commits into from

Conversation

@alexdutton
Copy link

@alexdutton alexdutton commented Mar 4, 2013

There's an uncaught exception when the Authentication header is empty, as handily pointed out by the Googlebot:

Traceback (most recent call last):

  File "/usr/lib/python2.6/dist-packages/django/core/handlers/base.py", line 89, in get_response
    response = middleware_method(request)

  File "/usr/lib/python2.6/dist-packages/dataox/oauth2/middleware.py", line 10, in process_request
    authenticator.validate(request)

  File "/etc/puppet/src/oauth2app/oauth2app/authenticate.py", line 97, in validate
    self.auth_type = auth[0].lower()

IndexError: list index out of range

<WSGIRequest
path:/foo/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'DOCUMENT_ROOT': '/etc/apache2/htdocs',
 'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTPS': '1',
 'HTTP_ACCEPT': '*/*',
 'HTTP_ACCEPT_ENCODING': 'gzip,deflate',
 'HTTP_AUTHORIZATION': '',
 'HTTP_CONNECTION': 'Keep-alive',
 'HTTP_FROM': 'googlebot(at)googlebot.com',
 'HTTP_HOST': 'data.ox.ac.uk',
 'HTTP_IF_MODIFIED_SINCE': 'Fri, 11 Jan 2013 04:50:27 GMT',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',>

I noticed another part susceptible to this problem in oauth2app.token, where an Authentication header that didn't split() into at least two parts would throw an error, which I've also fixed.

bhagany and others added 30 commits March 9, 2012 11:53
@bhagany
Merge branch 'hotfix/none_scope'
ec50856
@ghickman
Swap simplejson out for stdlib json
af61938
@bhagany
Merge pull request hiidef#12 from ghickman/master
db16899 
Swap simplejson out for stdlib json in the testsites api test
@ghickman
Tidy up exception handling
3a10095 
Use new style variable assignment to avoid issues with python version
support and remove variable assignment when it's not being used.
@ghickman
Merge branch 'master' of git://github.com/hiidef/oauth2app
af2b717
@ghickman
Add django nose to the example project
e17d266
@ghickman
Stub out the authenticate tests
73395d9
@bhagany
Merge pull request hiidef#14 from ghickman/3a100951
6784806 
Tidy up Exception Handling
@bhagany
Merge pull request hiidef#15 from ghickman/73395d97
1efb332 
Add django-nose and the test stubs
@frutik
Issue a new access token in refreshing flow. According to chapter 6 o…
a5cf37c 
…f current oauth2 draft.
@bhagany
Merge pull request hiidef#30 from frutik/master
b00cc5e 
Issue a new access token in refreshing flow
@hpk
Prefer simplejson, but fall back to json
23d717a
@rcoup
Fix absolute_http_url_re import with fallback
8f11c32
@rcoup
Fix test failures
8349777
@rcoup
Enable use of custom user models for django1.5+
e823dc7
@bhagany
call get_user_model in try block for better backwards compatibility
080f6fa
@alexdutton
Handle malformed (e.g. empty, single token) Authorization headers wit…
78fc23e 
…hout 500
@alexdutton
Added flag allowing a client to skip confirmation from the user.
6b42914
@alexdutton
Allow individual scopes to expire after fixed periods.
ee1468c
@alexdutton
Allow admins to limit clients to using only particular scopes.
fe6833c
@alexdutton
AccessRange can now manage permissions directly through a fake user.
6f4bc48
@alexdutton
Added a label to AccessRange, for added user-friendliness.
200d7fc
@alexdutton
Added __unicode__() to AccessRange.
1e23b29
@alexdutton
Added basic admin site integration.
916c241
@alexdutton
Added views and templates for authorize and token endpoints.
a4df8e7
@alexdutton
Tidying code (trailing whitespace; spurious print statements)
0a0ca20
@alexdutton
Make groups available on proxy users.
d0f3ab7
@alexdutton
Removed return statement as it precluded checking token expiry.
53bfbb3
@alexdutton
Only change scope if refresh_token grant asked for it.
8a5a696 
Section 6 of the OAuth2 RFC says that if scope parameter is omitted it "is treated as equal to the scope originally granted by the resource owner." Previously oauth2app cleared the scope if the scope parameter was omitted.

Fixes hiidef#51.
@alexdutton
Better expiry display in admin
9d2359d
@alexdutton
Don't assume every request has a user attribute in response middleware.
d0453eb
@alexdutton
Make sure we have scopes on our user before trying to access them
619b0d7
@alexdutton
Merge remote-tracking branch 'hiidef/develop' into develop
51ba71c 
Conflicts:
	oauth2app/authenticate.py
	oauth2app/authorize.py
	oauth2app/models.py
	oauth2app/token.py
	setup.py
	tests/testsite/apps/api/tests/__init__.py
	tests/testsite/apps/api/tests/base.py
	tests/testsite/apps/api/tests/mac.py
	tests/testsite/apps/api/tests/responsetype.py
	tests/testsite/apps/api/tests/scope.py
@alexdutton
Dj1.7 support
34dedfd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@alexdutton @bhagany @ghickman @frutik @hpk @rcoup