Catch UnicodeDecodeError when passing malformed data in authorizati…

…on header (Fixes #122)

flask_httpauth.py

@@ -169,9 +169,10 @@ def decorated(*args, **kwargs):
         return login_required_internal
 
     def username(self):
-        if not request.authorization:
+        auth = self.get_auth()
+        if not auth:
             return ""
-        return request.authorization.username
+        return auth.username
 
     def current_user(self):
         if hasattr(g, 'flask_httpauth_user'):
@@ -205,9 +206,14 @@ def get_auth(self):
             username, password = b64decode(credentials).split(b':', 1)
         except (ValueError, TypeError):
             return None
+        try:
+            username = username.decode('utf-8')
+            password = password.decode('utf-8')
+        except UnicodeDecodeError:
+            username = None
+            password = None
         return Authorization(
-            scheme, {'username': username.decode('utf-8'),
-                     'password': password.decode('utf-8')})
+            scheme, {'username': username, 'password': password})
 
     def authenticate(self, auth, stored_password):
         if auth:

tests/test_basic_verify_password.py

@@ -75,6 +75,13 @@ def test_verify_auth_login_invalid(self):
         self.assertEqual(response.status_code, 403)
         self.assertTrue('WWW-Authenticate' in response.headers)
 
+    def test_verify_auth_login_malformed_password(self):
+        creds = 'eyJhbGciOieyJp=='
+        response = self.client.get('/basic-verify',
+                                   headers={'Authorization': 'Basic ' + creds})
+        self.assertEqual(response.status_code, 403)
+        self.assertTrue('WWW-Authenticate' in response.headers)
+
 
 class HTTPAuthTestCaseOldStyle(HTTPAuthTestCase):
     use_old_style_callback = True