Fix issue with empty values within delimited authorization header

When the Authorization header would contain a set of delimited values where one or more values were blank, an ArgumentError would be raised. This resolves that by removing blank values during parsing of the Authorization header.
rails · May 22, 2023 · 7d8cb15 · 7d8cb15
1 parent b4369aa
commit 7d8cb15
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -513,6 +513,7 @@ def rewrite_param_values(array_params)
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
         _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb
@@ -180,6 +180,16 @@ def authenticate_long_credentials
     assert_nil actual
   end
 
+  test "token_and_options ignores empty elements in header value" do
+    token = "foo,,bar,  ,   , baz=qux"
+    expected_token = "foo"
+    expected_options = { "bar" => nil, "baz" => "qux" }
+
+    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token, {}))
+    assert_equal expected_token, actual.first
+    assert_equal expected_options, actual.last
+  end
+
   test "raw_params returns a tuple of two key value pair strings" do
     auth = sample_request("rcHu+HzSFw89Ypyhn/896A=").authorization.to_s
     actual = ActionController::HttpAuthentication::Token.raw_params(auth)