Validate authorization header in multi auth

Fixes #51
miguelgrinberg · Jan 30, 2017 · d98d88d · d98d88d
1 parent f7fe976
commit d98d88d
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 24 deletions.
diff --git a/flask_httpauth.py b/flask_httpauth.py
@@ -11,7 +11,7 @@
 from functools import wraps
 from hashlib import md5
 from random import Random, SystemRandom
-from flask import request, make_response, session
+from flask import request, make_response, session, abort
 from werkzeug.datastructures import Authorization
 
 __version__ = '3.2.1'
@@ -257,11 +257,17 @@ def login_required(self, f):
         def decorated(*args, **kwargs):
             selected_auth = None
             if 'Authorization' in request.headers:
-                scheme, creds = request.headers['Authorization'].split(None, 1)
-                for auth in self.additional_auth:
-                    if auth.scheme == scheme:
-                        selected_auth = auth
-                        break
+                try:
+                    scheme, creds = request.headers['Authorization'].split(
+                        None, 1)
+                except ValueError:
+                    # malformed Authorization header
+                    pass
+                else:
+                    for auth in self.additional_auth:
+                        if auth.scheme == scheme:
+                            selected_auth = auth
+                            break
             if selected_auth is None:
                 selected_auth = self.main_auth
             return selected_auth.login_required(f)(*args, **kwargs)

diff --git a/tests/test_multi.py b/tests/test_multi.py
@@ -81,3 +81,8 @@ def test_multi_auth_login_invalid_scheme(self):
         self.assertTrue('WWW-Authenticate' in response.headers)
         self.assertEqual(response.headers['WWW-Authenticate'],
                          'Basic realm="Authentication Required"')
+
+    def test_multi_malformed_header(self):
+        response = self.client.get(
+            '/protected', headers={'Authorization': 'token-without-scheme'})
+        self.assertEqual(response.status_code, 401)
diff --git a/tox.ini b/tox.ini
@@ -1,12 +1,14 @@
 [tox]
-envlist=flake8,py27,py33,py34,py35,pypy,docs,coverage
+envlist=flake8,py27,py34,py35,py36,pypy,docs,coverage
 skip_missing_interpreters=True
 
 [testenv]
 commands=
     coverage run --branch --include=flask_httpauth.py setup.py test
     coverage report --show-missing
     coverage erase
+deps=
+    coverage
 
 [testenv:flake8]
 basepython=python
@@ -17,33 +19,21 @@ commands=
 
 [testenv:py26]
 basepython=python2.6
-deps=
-    coverage
 
 [testenv:py27]
 basepython=python2.7
-deps=
-    coverage
-
-[testenv:py33]
-basepython=python3.3
-deps=
-    coverage
 
 [testenv:py34]
 basepython=python3.4
-deps=
-    coverage
 
 [testenv:py35]
 basepython=python3.5
-deps=
-    coverage
+
+[testenv:py36]
+basepython=python3.6
 
 [testenv:pypy]
 basepython=pypy
-deps=
-    coverage
 
 [testenv:docs]
 basepython=python2.7
@@ -57,8 +47,6 @@ commands=
 
 [testenv:coverage]
 basepython=python
-deps=
-    coverage
 commands=
     coverage run --branch --source=flask_httpauth.py setup.py test
     coverage html