Merge branch 'basicauth_valunarability' of https://github.com/hirokiky/django-oauth-toolkit into hirokiky-basicauth_valunarability

Conflicts:
	AUTHORS

Author: masci

AUTHORS

@@ -12,3 +12,4 @@ Emanuele Palazzetti
 David Fischer
 Ash Christopher
 Rodney Richardson
+Hiroki Kiyohara

oauth2_provider/oauth2_validators.py

@@ -1,6 +1,7 @@
 from __future__ import unicode_literals
 
 import base64
+import binascii
 import logging
 from datetime import timedelta
 
@@ -35,7 +36,11 @@ def _extract_basic_auth(self, request):
         if not auth:
             return None
 
-        auth_type, auth_string = auth.split(' ')
+        splitted = auth.split(' ', 1)
+        if len(splitted) != 2:
+            return None
+        auth_type, auth_string = splitted
+
         if auth_type != "Basic":
             return None
 
@@ -54,7 +59,20 @@ def _authenticate_basic_auth(self, request):
 
         encoding = request.encoding or 'utf-8'
 
-        auth_string_decoded = base64.b64decode(auth_string).decode(encoding)
+        try:
+            b64_decoded = base64.b64decode(auth_string)
+        except (TypeError, binascii.Error):
+            log.debug("Failed basic auth: %s can't be decoded as base64", auth_string)
+            return False
+
+        try:
+            auth_string_decoded = b64_decoded.decode(encoding)
+        except UnicodeDecodeError:
+            log.debug("Failed basic auth: %s can't be decoded as unicode by %s",
+                      auth_string,
+                      encoding)
+            return False
+
         client_id, client_secret = map(unquote_plus, auth_string_decoded.split(':', 1))
 
         if self._load_application(client_id, request) is None:

oauth2_provider/tests/test_oauth2_validators.py

@@ -42,6 +42,40 @@ def test_extract_basic_auth(self):
         self.assertIsNone(self.validator._extract_basic_auth(self.request))
         self.request.headers = {'HTTP_AUTHORIZATION': 'Dummy 123456'}
         self.assertIsNone(self.validator._extract_basic_auth(self.request))
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic'}
+        self.assertIsNone(self.validator._extract_basic_auth(self.request))
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic 123456 789'}
+        self.assertEqual(self.validator._extract_basic_auth(self.request), '123456 789')
+
+    def test_authenticate_basic_auth(self):
+        self.request.encoding = 'utf-8'
+        # client_id:client_secret
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=\n'}
+        self.assertTrue(self.validator._authenticate_basic_auth(self.request))
+
+    def test_authenticate_basic_auth_wrong_client_id(self):
+        self.request.encoding = 'utf-8'
+        # wrong_id:client_secret
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic d3JvbmdfaWQ6Y2xpZW50X3NlY3JldA==\n'}
+        self.assertFalse(self.validator._authenticate_basic_auth(self.request))
+
+    def test_authenticate_basic_auth_wrong_client_secret(self):
+        self.request.encoding = 'utf-8'
+        # client_id:wrong_secret
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic Y2xpZW50X2lkOndyb25nX3NlY3JldA==\n'}
+        self.assertFalse(self.validator._authenticate_basic_auth(self.request))
+
+    def test_authenticate_basic_auth_not_b64_auth_string(self):
+        self.request.encoding = 'utf-8'
+        # Can't b64decode
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic not_base64'}
+        self.assertFalse(self.validator._authenticate_basic_auth(self.request))
+
+    def test_authenticate_basic_auth_not_utf8(self):
+        self.request.encoding = 'utf-8'
+        # b64decode('test') will become b'\xb5\xeb-', it can't be decoded as utf-8
+        self.request.headers = {'HTTP_AUTHORIZATION': 'Basic test'}
+        self.assertFalse(self.validator._authenticate_basic_auth(self.request))
 
     def test_authenticate_client_id(self):
         self.assertTrue(self.validator.authenticate_client_id('client_id', self.request))