Rack::Auth::AbstractRequest will throw given empty Authorization header #438

ebroder opened this Issue Oct 10, 2012 · 0 comments


None yet
2 participants

ebroder commented Oct 10, 2012

I ran into this issue attempting to extract information from an Authorization header that turned out to be empty:

[1] pry(main)> require 'rack'
=> true
[2] pry(main)> req = Rack::Auth::AbstractRequest.new({'HTTP_AUTHORIZATION' => ''})

=> #<Rack::Auth::AbstractRequest:0x7fbe55234590 @env={"HTTP_AUTHORIZATION"=>""}>
[3] pry(main)> req.scheme
NoMethodError: undefined method `downcase' for nil:NilClass
from /home/evan/.rbenv/versions/1.8.7-p370/lib/ruby/gems/1.8/gems/rack-1.4.1/lib/rack/auth/abstract/request.rb:24:in `scheme'

Based on my read of RFC 2616 and 2617, that form of the header is invalid [*]. The application should probably return a 400, but I'm not sure what the API for AbstractRequest should be to accomplish that.

Here's a strawman proposal:

Given a malformed header, #provided? should return false. This will generally cause the application to return a 401, not a 400. All other methods are fine to through in the case that #provided? returns false (I think this is basically already true)

[*] RFC 2616 and 2617 collectively specify the following grammar for the Authorization header:

          auth-scheme    = token
          auth-param     = token "=" ( token | quoted-string )

          credentials = auth-scheme #auth-param

          Authorization  = "Authorization" ":" credentials

@raggi raggi closed this in e2c530c Nov 2, 2012

raggi added a commit that referenced this issue Jan 4, 2013

raggi added a commit that referenced this issue Jan 4, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment