Handle malformed Authorization headers without a 500. by alexdutton · Pull Request #41 · hiidef/oauth2app

alexdutton · 2013-03-04T09:15:33Z

There's an uncaught exception when the Authentication header is empty, as handily pointed out by the Googlebot:

Traceback (most recent call last):

  File "/usr/lib/python2.6/dist-packages/django/core/handlers/base.py", line 89, in get_response
    response = middleware_method(request)

  File "/usr/lib/python2.6/dist-packages/dataox/oauth2/middleware.py", line 10, in process_request
    authenticator.validate(request)

  File "/etc/puppet/src/oauth2app/oauth2app/authenticate.py", line 97, in validate
    self.auth_type = auth[0].lower()

IndexError: list index out of range

<WSGIRequest
path:/foo/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'DOCUMENT_ROOT': '/etc/apache2/htdocs',
 'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTPS': '1',
 'HTTP_ACCEPT': '*/*',
 'HTTP_ACCEPT_ENCODING': 'gzip,deflate',
 'HTTP_AUTHORIZATION': '',
 'HTTP_CONNECTION': 'Keep-alive',
 'HTTP_FROM': 'googlebot(at)googlebot.com',
 'HTTP_HOST': 'data.ox.ac.uk',
 'HTTP_IF_MODIFIED_SINCE': 'Fri, 11 Jan 2013 04:50:27 GMT',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',>

I noticed another part susceptible to this problem in oauth2app.token, where an Authentication header that didn't split() into at least two parts would throw an error, which I've also fixed.

Swap simplejson out for stdlib json in the testsites api test

Use new style variable assignment to avoid issues with python version support and remove variable assignment when it's not being used.

Tidy up Exception Handling

Add django-nose and the test stubs

…f current oauth2 draft.

Issue a new access token in refreshing flow

…hout 500

Section 6 of the OAuth2 RFC says that if scope parameter is omitted it "is treated as equal to the scope originally granted by the resource owner." Previously oauth2app cleared the scope if the scope parameter was omitted. Fixes hiidef#51.

Conflicts: oauth2app/authenticate.py oauth2app/authorize.py oauth2app/models.py oauth2app/token.py setup.py tests/testsite/apps/api/tests/__init__.py tests/testsite/apps/api/tests/base.py tests/testsite/apps/api/tests/mac.py tests/testsite/apps/api/tests/responsetype.py tests/testsite/apps/api/tests/scope.py

bhagany and others added 30 commits March 9, 2012 11:53

Merge branch 'hotfix/none_scope'

ec50856

Swap simplejson out for stdlib json

af61938

Merge pull request hiidef#12 from ghickman/master

db16899

Swap simplejson out for stdlib json in the testsites api test

Tidy up exception handling

3a10095

Use new style variable assignment to avoid issues with python version support and remove variable assignment when it's not being used.

Merge branch 'master' of git://github.com/hiidef/oauth2app

af2b717

Add django nose to the example project

e17d266

Stub out the authenticate tests

73395d9

Merge pull request hiidef#14 from ghickman/3a100951

6784806

Tidy up Exception Handling

Merge pull request hiidef#15 from ghickman/73395d97

1efb332

Add django-nose and the test stubs

Issue a new access token in refreshing flow. According to chapter 6 o…

a5cf37c

…f current oauth2 draft.

Merge pull request hiidef#30 from frutik/master

b00cc5e

Issue a new access token in refreshing flow

Prefer simplejson, but fall back to json

23d717a

Fix absolute_http_url_re import with fallback

8f11c32

Fix test failures

8349777

Enable use of custom user models for django1.5+

e823dc7

call get_user_model in try block for better backwards compatibility

080f6fa

Handle malformed (e.g. empty, single token) Authorization headers wit…

78fc23e

…hout 500

Added flag allowing a client to skip confirmation from the user.

6b42914

Allow individual scopes to expire after fixed periods.

ee1468c

Allow admins to limit clients to using only particular scopes.

fe6833c

AccessRange can now manage permissions directly through a fake user.

6f4bc48

Added a label to AccessRange, for added user-friendliness.

200d7fc

Added __unicode__() to AccessRange.

1e23b29

Added basic admin site integration.

916c241

Added views and templates for authorize and token endpoints.

a4df8e7

Tidying code (trailing whitespace; spurious print statements)

0a0ca20

Make groups available on proxy users.

d0f3ab7

Removed return statement as it precluded checking token expiry.

53bfbb3

Better expiry display in admin

9d2359d

alexdutton added 4 commits February 9, 2015 11:48

Don't assume every request has a user attribute in response middleware.

d0453eb

Make sure we have scopes on our user before trying to access them

619b0d7

Dj1.7 support

34dedfd

alexdutton force-pushed the develop branch from ff0f341 to 34dedfd Compare February 11, 2015 10:49

alexdutton and others added 7 commits February 9, 2017 12:24

Updates for Py3 and Django1.10

e050ee5

add on_delete argument to django ForeignKeys

becedb4

add app_name to urls file

807d068

compatibility with newer django middleware settings

1e48ffb

is_authenticated is no longer a method

5c195aa

correct import path for urls.reverse

a445987

fix Unicode-objects must be encoded before hashing

c211adf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handle malformed Authorization headers without a 500.#41

Handle malformed Authorization headers without a 500.#41
alexdutton wants to merge 41 commits intohiidef:developfrom
ox-it:develop

alexdutton commented Mar 4, 2013

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

alexdutton commented Mar 4, 2013

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants