diff options
author | David Lord <davidism@gmail.com> | 2023-05-01 12:35:06 -0700 |
---|---|---|
committer | David Lord <davidism@gmail.com> | 2023-05-01 12:35:06 -0700 |
commit | 2051469a2be722121369b416a5c14435c9e82f90 (patch) | |
tree | 138bd57ca508ee0c73bdc09db6c00e451e862388 | |
parent | 6e63efe9bad789c8bd0b561bbcfdb28b2fd03475 (diff) | |
download | werkzeug-2051469a2be722121369b416a5c14435c9e82f90.tar.gz |
WWWAuthenticate.from_header handles base64 padding in token
-rw-r--r-- | CHANGES.rst | 4 | ||||
-rw-r--r-- | src/werkzeug/datastructures/auth.py | 9 | ||||
-rw-r--r-- | tests/test_http.py | 13 |
3 files changed, 20 insertions, 6 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index 0a37fd89..2d83ee59 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,8 +5,8 @@ Version 2.3.4 Unreleased -- ``Authorization.from_header`` detects tokens that end with base64 padding (``=``). - :issue:`2685` +- ``Authorization.from_header`` and ``WWWAuthenticate.from_header`` detects tokens + that end with base64 padding (``=``). :issue:`2685` Version 2.3.3 diff --git a/src/werkzeug/datastructures/auth.py b/src/werkzeug/datastructures/auth.py index 7d36a7ff..0d216516 100644 --- a/src/werkzeug/datastructures/auth.py +++ b/src/werkzeug/datastructures/auth.py @@ -376,12 +376,13 @@ class WWWAuthenticate: scheme, _, rest = value.partition(" ") scheme = scheme.lower() rest = rest.strip() - parameters = parse_dict_header(rest) - if len(parameters) == 1 and parameters[next(iter(parameters))] is None: - return cls(scheme, None, rest) + if "=" in rest.rstrip("="): + # = that is not trailing, this is parameters. + return cls(scheme, parse_dict_header(rest), None) - return cls(scheme, parameters, None) + # No = or only trailing =, this is a token. + return cls(scheme, None, rest) def to_header(self) -> str: """Produce a ``WWW-Authenticate`` header value representing this data.""" diff --git a/tests/test_http.py b/tests/test_http.py index 8f21c12a..7d76775b 100644 --- a/tests/test_http.py +++ b/tests/test_http.py @@ -255,6 +255,19 @@ class TestHTTPUtility: assert WWWAuthenticate.from_header("broken").type == "broken" assert WWWAuthenticate.from_header("") is None + def test_www_authenticate_token_padding(self): + # padded with = + token = base64.b64encode(b"This has base64 padding").decode() + a = WWWAuthenticate.from_header(f"Token {token}") + assert a.type == "token" + assert a.token == token + + # padded with == + token = base64.b64encode(b"This has base64 padding..").decode() + a = WWWAuthenticate.from_header(f"Token {token}") + assert a.type == "token" + assert a.token == token + def test_www_authenticate_eq(self): basic1 = WWWAuthenticate.from_header("Basic realm=abc") basic2 = WWWAuthenticate("basic", {"realm": "abc"}) |