Request.authorization raises ValueError for unusual or malformed header values

[lrowe]

I'm seeing errors such as the following being logged in production:

  File "xxx.py", line 91, in xxx
    if request.authorization is not None:
  File "eggs/WebOb-1.4.1-py3.4.egg/webob/descriptors.py", line 164, in fget
    return parse(hget(r))
  File "eggs/WebOb-1.4.1-py3.4.egg/webob/descriptors.py", line 321, in parse_auth
    authtype, params = val.split(' ', 1)
ValueError: need more than 1 value to unpack

I believe this is because the Authorization header is malformed (does not contain a space or is blank.) Raising a ValueError here means that application code must protect each access to Request.authorization with a try/except block. WebOb should probably handle such cases more elegantly.

[mmerickel]

In my own code I do have this try/except block. I actually didn't mind handling it myself to respond with a different error for a malformed header versus invalid credentials but I agree it can be non-obvious.

[digitalresistor]

I don't think WebOb should silently return something that may or may not look like a valid authorization header.

Instead of raising a ValueError it should probably raise an exception that is not as generic and can be traced back to being a malformed header.

If user code specifically requests a header, especially one that is related to security, WebOb shouldn't silently attempt to acquiesce the malformed header.

[lrowe]

The request that triggered my logged error had a User-Agent of "Microsoft Office Word 2014". Googling shows that Microsoft Office DAV may send Authorization: Bearer:

• Microsoft Word Locks not working anymore ?  mikedeboer/jsDAV#129
• https://social.technet.microsoft.com/Forums/windowsserver/en-US/4671c926-63da-4a0f-951c-98d3351db827/problem-office-2016-saving-to-webdav?forum=officeitpro

I think there's a good argument for saying set_credentials(('AuthType', '')) should return 'AuthType ' (with a space) instead of 'AuthType' as my PR currently does.

But when accessing Request.authorization, I don't think it makes much sense distinguish between 'AuthType' without a space and 'AuthType ' with a space by raising in the first case. Auth code will need to check the credential params anyway, and will presumably reject it if blank.

[lrowe]

I've changed my PR so that set_credentials(('AuthType', '')) now returns 'AuthType ' which is spec compliant.

[digitalresistor]

Where is set_credentials located? I can't find it in the WebOb source code, so I am not sure what those comments are related to.

[jalan]

This issue affects pyramid_debugtoolbar. The "Request Vars" panel accesses request.authorization and does not handle ValueError:

2017-04-11 15:03:57,646 ERROR [waitress:341][waitress] Exception when serving /
Traceback (most recent call last):
  File "[...]/waitress-1.0.2-py3.5.egg/waitress/channel.py", line 338, in service
    task.service()
  File "[...]/waitress-1.0.2-py3.5.egg/waitress/task.py", line 169, in service
    self.execute()
  File "[...]/waitress-1.0.2-py3.5.egg/waitress/task.py", line 399, in execute
    app_iter = self.channel.server.application(env, start_response)
  File "[...]/pyramid/router.py", line 233, in __call__
    response = self.invoke_subrequest(request, use_tweens=True)
  File "[...]/pyramid/router.py", line 208, in invoke_subrequest
    response = handle_request(request)
  File "[...]/pyramid_debugtoolbar-3.0.5-py3.5.egg/pyramid_debugtoolbar/toolbar.py", line 272, in toolbar_tween
    toolbar.process_response(request, response)
  File "[...]/pyramid_debugtoolbar-3.0.5-py3.5.egg/pyramid_debugtoolbar/toolbar.py", line 87, in process_response
    panel.process_response(response)
  File "[...]/pyramid_debugtoolbar-3.0.5-py3.5.egg/pyramid_debugtoolbar/panels/request_vars.py", line 134, in process_response
    extracted_attributes = extract_request_attributes(self.request)
  File "[...]/pyramid_debugtoolbar-3.0.5-py3.5.egg/pyramid_debugtoolbar/panels/request_vars.py", line 60, in extract_request_attributes
    if not hasattr(request, attr_):
  File "[...]/webob/descriptors.py", line 164, in fget
    return parse(hget(r))
  File "[...]/webob/descriptors.py", line 321, in parse_auth
    authtype, params = val.split(' ', 1)
ValueError: not enough values to unpack (expected 2, got 1)

I'd say that's a good indication that raising ValueError here is unexpected. I can confirm that the change in #232 fixes the issue for the debug toolbar.

[digitalresistor]

Merged the change into WebOb in #318