Merge pull request #350 from cheif/master

Handle empty/non-parsable query strings
oauthlib · Jul 1, 2015 · 08970a8 · 08970a8
2 parents c806879 + 6a43514
commit 08970a8
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
@@ -308,7 +308,11 @@ def validate_authorization_request(self, request):
             raise errors.InvalidRequestError(description='Missing response_type parameter.', request=request)
 
         for param in ('client_id', 'response_type', 'redirect_uri', 'scope', 'state'):
-            if param in request.duplicate_params:
+            try:
+                duplicate_params = request.duplicate_params
+            except ValueError:
+                raise errors.InvalidRequestError(description='Unable to parse query string', request=request)
+            if param in duplicate_params:
                 raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, request=request)
 
         if not self.request_validator.validate_response_type(request.client_id,

diff --git a/oauthlib/oauth2/rfc6749/grant_types/implicit.py b/oauthlib/oauth2/rfc6749/grant_types/implicit.py
@@ -310,7 +310,11 @@ def validate_token_request(self, request):
                                              request=request)
 
         for param in ('client_id', 'response_type', 'redirect_uri', 'scope', 'state'):
-            if param in request.duplicate_params:
+            try:
+                duplicate_params = request.duplicate_params
+            except ValueError:
+                raise errors.InvalidRequestError(description='Unable to parse query string', request=request)
+            if param in duplicate_params:
                 raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, request=request)
 
         # REQUIRED. Value MUST be set to "token".

diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
@@ -100,6 +100,17 @@ def test_invalid_client_id(self):
         self.assertRaises(errors.InvalidClientIdError,
                 self.mobile.create_authorization_response, uri, scopes=['foo'])
 
+    def test_empty_parameter(self):
+        uri = 'https://example.com/authorize?client_id=foo&redirect_uri=https%3A%2F%2Fi.b%2Fback&response_type=code&'
+
+        # Authorization code grant
+        self.assertRaises(errors.InvalidRequestError,
+                self.web.validate_authorization_request, uri)
+
+        # Implicit grant
+        self.assertRaises(errors.InvalidRequestError,
+                self.mobile.validate_authorization_request, uri)
+
     def test_invalid_request(self):
         self.validator.get_default_redirect_uri.return_value = 'https://i.b/cb'
         token_uri = 'https://i.b/token'