Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

parse_authorization_header raises UnicodeDecodeError, not returning None #1816

Closed
ArchibaldArt opened this issue May 26, 2020 · 3 comments · Fixed by #1833
Closed

parse_authorization_header raises UnicodeDecodeError, not returning None #1816

ArchibaldArt opened this issue May 26, 2020 · 3 comments · Fixed by #1833
Milestone
2.0.0

Comments

@ArchibaldArt
Copy link

ArchibaldArt commented May 26, 2020
edited

werkzeug.http.parse_authorization_header() docstring states:

The return value is either None if the header was invalid or not given

But in case of passing string improperly formatted (i.e. not properly UTF-8 encoded) it raises UnicodeDecodeError exception:

>>> import base64
>>> from werkzeug.http import parse_authorization_header
>>> value = 'Basic ' + base64.b64encode(b'\xffser:pass').decode()
>>> parse_authorization_header(value)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/py3.8/lib/python3.8/site-packages/werkzeug/http.py", line 610, in parse_authorization_header
    "username": to_unicode(username, _basic_auth_charset),
  File "/py3.8/lib/python3.8/site-packages/werkzeug/_compat.py", line 219, in to_unicode
    return x.decode(charset, errors)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte

Am I right that exception handling should be added in parse_authorization_header()?
@davidism
Copy link
Member

This is an issue with how you constructed the header, you relied on whatever encoding your local machine was set to rather than using 'utf-8'. I don't think this needs to be handled in Werkzeug as it shouldn't come up in normal use and would indicate an issue with the client if the encoding it sends doesn't decode the bytes.

@ArchibaldArt
Copy link
Author

ArchibaldArt commented May 26, 2020
edited

This is an issue with how you constructed the header, you relied on whatever encoding your local machine was set to rather than using 'utf-8'. I don't think this needs to be handled in Werkzeug as it shouldn't come up in normal use and would indicate an issue with the client if the encoding it sends doesn't decode the bytes.

Such behaviour differs from docstring. In fact Authorization header is improperly formatted and invalid.
Imagine you have a production server and someone sends auth requests using improperly formatted header. Correct behaviour will be to reply with 401 which in turn generated using None response taken from parse_authorization_header().

I.e. Flask-login uses Flask request.authorization which in turn uses parse_authorization_header().
In result you get UnicodeDecodeError rather than 401.

@ArchibaldArt ArchibaldArt changed the title parse_authorization_header raises UnicodeEncodeError, not returning None parse_authorization_header raises UnicodeDecodeError, not returning None May 26, 2020
@mitsuhiko
Copy link
Contributor

The server should not crash as a result of the client sending bad data. This is indeed a bug in the function that should be fixed.

@davidism davidism reopened this May 28, 2020
@teymour-aldridge teymour-aldridge mentioned this issue Jun 10, 2020
Merged
@davidism davidism added this to the 2.0.0 milestone Jun 11, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

Add exception handling for parse_authorization_header errors. teymour-aldridge/werkzeug
3 participants
@mitsuhiko @davidism @ArchibaldArt