Skip to content

Commit

Permalink
Validate authorization header in multi auth
Browse files Browse the repository at this point in the history
Fixes #51
  • Loading branch information
miguelgrinberg committed Jan 30, 2017
1 parent f7fe976 commit 7a895d6
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 24 deletions.
2 changes: 1 addition & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ env:
- TOXENV=flake8
- TOXENV=py26
- TOXENV=py27
- TOXENV=py33
- TOXENV=py34
- TOXENV=py35
- TOXENV=py36
- TOXENV=pypy
- TOXENV=docs
install:
Expand Down
16 changes: 11 additions & 5 deletions flask_httpauth.py
Original file line number Diff line number Diff line change
Expand Up @@ -257,11 +257,17 @@ def login_required(self, f):
def decorated(*args, **kwargs):
selected_auth = None
if 'Authorization' in request.headers:
scheme, creds = request.headers['Authorization'].split(None, 1)
for auth in self.additional_auth:
if auth.scheme == scheme:
selected_auth = auth
break
try:
scheme, creds = request.headers['Authorization'].split(
None, 1)
except ValueError:
# malformed Authorization header
pass
else:
for auth in self.additional_auth:
if auth.scheme == scheme:
selected_auth = auth
break
if selected_auth is None:
selected_auth = self.main_auth
return selected_auth.login_required(f)(*args, **kwargs)
Expand Down
5 changes: 5 additions & 0 deletions tests/test_multi.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,8 @@ def test_multi_auth_login_invalid_scheme(self):
self.assertTrue('WWW-Authenticate' in response.headers)
self.assertEqual(response.headers['WWW-Authenticate'],
'Basic realm="Authentication Required"')

def test_multi_malformed_header(self):
response = self.client.get(
'/protected', headers={'Authorization': 'token-without-scheme'})
self.assertEqual(response.status_code, 401)
24 changes: 6 additions & 18 deletions tox.ini
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
[tox]
envlist=flake8,py27,py33,py34,py35,pypy,docs,coverage
envlist=flake8,py27,py34,py35,py36,pypy,docs,coverage
skip_missing_interpreters=True

[testenv]
commands=
coverage run --branch --include=flask_httpauth.py setup.py test
coverage report --show-missing
coverage erase
deps=
coverage

[testenv:flake8]
basepython=python
Expand All @@ -17,33 +19,21 @@ commands=

[testenv:py26]
basepython=python2.6
deps=
coverage

[testenv:py27]
basepython=python2.7
deps=
coverage

[testenv:py33]
basepython=python3.3
deps=
coverage

[testenv:py34]
basepython=python3.4
deps=
coverage

[testenv:py35]
basepython=python3.5
deps=
coverage

[testenv:py36]
basepython=python3.6

[testenv:pypy]
basepython=pypy
deps=
coverage

[testenv:docs]
basepython=python2.7
Expand All @@ -57,8 +47,6 @@ commands=

[testenv:coverage]
basepython=python
deps=
coverage
commands=
coverage run --branch --source=flask_httpauth.py setup.py test
coverage html
Expand Down

0 comments on commit 7a895d6

Please sign in to comment.