Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle malformed Authorization headers without a 500. #41

Open
wants to merge 41 commits into
base: develop
Choose a base branch
from

Conversation

alexdutton
Copy link

There's an uncaught exception when the Authentication header is empty, as handily pointed out by the Googlebot:

Traceback (most recent call last):

  File "/usr/lib/python2.6/dist-packages/django/core/handlers/base.py", line 89, in get_response
    response = middleware_method(request)

  File "/usr/lib/python2.6/dist-packages/dataox/oauth2/middleware.py", line 10, in process_request
    authenticator.validate(request)

  File "/etc/puppet/src/oauth2app/oauth2app/authenticate.py", line 97, in validate
    self.auth_type = auth[0].lower()

IndexError: list index out of range

<WSGIRequest
path:/foo/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'DOCUMENT_ROOT': '/etc/apache2/htdocs',
 'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTPS': '1',
 'HTTP_ACCEPT': '*/*',
 'HTTP_ACCEPT_ENCODING': 'gzip,deflate',
 'HTTP_AUTHORIZATION': '',
 'HTTP_CONNECTION': 'Keep-alive',
 'HTTP_FROM': 'googlebot(at)googlebot.com',
 'HTTP_HOST': 'data.ox.ac.uk',
 'HTTP_IF_MODIFIED_SINCE': 'Fri, 11 Jan 2013 04:50:27 GMT',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',>

I noticed another part susceptible to this problem in oauth2app.token, where an Authentication header that didn't split() into at least two parts would throw an error, which I've also fixed.

bhagany and others added 30 commits March 9, 2012 11:53
Swap simplejson out for stdlib json in the testsites api test
Use new style variable assignment to avoid issues with python version
support and remove variable assignment when it's not being used.
Add django-nose and the test stubs
Issue a new access token in refreshing flow
Section 6 of the OAuth2 RFC says that if scope parameter is omitted it "is treated as equal to the scope originally granted by the resource owner." Previously oauth2app cleared the scope if the scope parameter was omitted.

Fixes hiidef#51.
Conflicts:
	oauth2app/authenticate.py
	oauth2app/authorize.py
	oauth2app/models.py
	oauth2app/token.py
	setup.py
	tests/testsite/apps/api/tests/__init__.py
	tests/testsite/apps/api/tests/base.py
	tests/testsite/apps/api/tests/mac.py
	tests/testsite/apps/api/tests/responsetype.py
	tests/testsite/apps/api/tests/scope.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants