Catching exception when Authorization header is empty

Previously, if browser would send a: Authorized: Token (where Token can be another auth token) or simply: Authorized: <blank> http header, the split() method raises a ValueError resulting in a 500 error. This errenous header should (probably) be handled as if it was not there or otherwise invalid, catching the error and doing nothing does just that.
miguelgrinberg · Mar 9, 2016 · 88d073e · 88d073e
1 parent f2c0cf4
commit 88d073e
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/flask_httpauth.py b/flask_httpauth.py
@@ -60,9 +60,14 @@ def decorated(*args, **kwargs):
                 # Flask/Werkzeug do not recognize any authentication types
                 # other than Basic or Digest, so here we parse the header by
                 # hand
-                auth_type, token = request.headers['Authorization'].split(
-                    None, 1)
-                auth = Authorization(auth_type, {'token': token})
+                try:
+                    auth_type, token = request.headers['Authorization'].split(
+                        None, 1)
+                    auth = Authorization(auth_type, {'token': token})
+                except ValueError:
+                    # The Authorization header is either empty or has no token
+                    pass
+
             if auth is not None and auth.type.lower() != self.scheme.lower():
                 return self.auth_error_callback()
             # Flask normally handles OPTIONS requests on its own, but in the