diff options
author | Sean C. Farley <sean-dev@farley.org> | 2013-06-28 10:56:30 -0400 |
---|---|---|
committer | Sean C. Farley <sean-dev@farley.org> | 2013-06-28 10:56:30 -0400 |
commit | 349d9f398afd58cc993f207c4035b85e2bf86b26 (patch) | |
tree | 596f8f8196436883ac11d28047fd5eba1d5e9493 /tests/oauth1/rfc5849/test_utils.py | |
parent | 3f1008106e3dd7b3874e567a992093ed94e95428 (diff) | |
download | oauthlib-349d9f398afd58cc993f207c4035b85e2bf86b26.tar.gz |
Improve resilience to bad authorization headers
Catch IndexError when calling parse_keqv_list in
parse_authorization_header. parse_keqv_list could raise an IndexError
exception if the header has an incomplete key=value pair. Some examples
of this are a broken OAuth header (e.g., OAuth oauth_nonce=) and client
code that attempts to use IWA for authentication (i.e., Negotiate
b2F1dGhsaWI=). IWA uses Base64 which may end with an "=".
Add unit tests for bad authorization headers raising ValueError.
Diffstat (limited to 'tests/oauth1/rfc5849/test_utils.py')
-rw-r--r-- | tests/oauth1/rfc5849/test_utils.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/oauth1/rfc5849/test_utils.py b/tests/oauth1/rfc5849/test_utils.py index 3e6ce2d..59ee744 100644 --- a/tests/oauth1/rfc5849/test_utils.py +++ b/tests/oauth1/rfc5849/test_utils.py @@ -42,6 +42,11 @@ class UtilsTests(TestCase): oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D" """.strip() + bad_authorization_headers = ( + "OAuth", + "OAuth oauth_nonce=", + "Negotiate b2F1dGhsaWI=", + ) def test_filter_params(self): @@ -127,3 +132,7 @@ class UtilsTests(TestCase): ('oauth_token', 'kkk9d7dh3k39sjv7'), ('realm', 'Example')] self.assertEqual(sorted(authorization_headers), sorted(correct_headers)) + + # Check against malformed headers. + for header in self.bad_authorization_headers: + self.assertRaises(ValueError, parse_authorization_header, header) |