New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue with empty values within delimited authorization header #47910
Fix issue with empty values within delimited authorization header #47910
Conversation
Does it say anywhere in the spec what we should do with blank values? Throwing them away makes sense, but I wanted to double check. |
The spec does say that empty elements in a header value are valid:
But they're not supported with the current parsing code for the We already cast missing values to nil, e.g. |
04a3ab5
to
4b7a774
Compare
@zzak I kind of changed my mind, so I refactored the code to retain empty header values, per the HTTP spec. I like this version better, but let me know if you'd like me to revert to the earlier solution using |
4b7a774
to
f3b0b21
Compare
I think sticking to the spec is the best path forward, let's wait to hear what other committers/core think 🙏 Thanks for digging into this further! |
However, the paragraph at the beginning of that section says:
|
All empty values ( But let me know which direction we want to go in and I'll get the PR fixed up. |
Is there a benefit to including the values in the Hash, instead of ignoring them per the spec? |
f3b0b21
to
6b06f19
Compare
Not that I can think of. I'll revert to my original changeset. |
ab292f5
to
48d3ae1
Compare
326818d
to
d9907fd
Compare
When the Authorization header would contain a set of delimited values where one or more values were blank, an ArgumentError would be raised. This resolves that by removing blank values during parsing of the Authorization header.
d9907fd
to
7d8cb15
Compare
I pushed a commit to use Thank you, @ezekg! ⚪ ⚫ ⚪ |
Motivation / Background
This Pull Request has been created because certain delimited
Authorization
header values can be used to produce anArgumentError
, typically resulting in a 500 error response.Detail
This Pull Request changes the
token_and_options
method to remove blank values, which cause the argument error. Typically,raw_params
returns an array of tuples, but when an authorization header contains blank values, such as withBearer foo,,bar
(note the blank value, between the 2,
delimiters), theraw_params
method will include non-tuple values. These values are then passed toHash[]
, but that method only accepts sets of 1 or 2 arguments, not 0. Unfortunately, this ends up raising anArgumentError: invalid number of elements (0 for 1..2)
.Additional information
N/A
Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]