Avoid errors from invalid Authorization headers (issue2550992).

jsm28 · jsm28 · commit f5af29506192 · 2018-09-27T11:38:05.000Z
When a client sends an invalid HTTP Authorization header, this can
result in an email being sent to the admin with a backtrace and the
"An error has occurred" page being returned to the client, rather than
it just being treated as a normal authentication failure.  I've
observed this happening with an "Authorization: Bearer" header
(missing the argument that should come after Bearer); I don't know
what client was sending that invalid header, but since it just sent
HEAD requests for three random pages with the invalid header, I'm
reasonably sure it was a malfunctioning bot rather than any normal
browser used by a human.

The problem is in the code:

                # try handling Basic Auth ourselves
                auth = self.env['HTTP_AUTHORIZATION']
                scheme, challenge = auth.split(' ', 1)

which results in "ValueError: need more than 1 value to unpack" in the
case where the split() call returns only one value.  As a
malfunctioning client (quite likely probing lots of sites for some
sort of vulnerability in some unrelated web service; any site
accessible from the public Internet must expect to receive many such
probes all the time), it both isn't useful to report to the Roundup
admin (because there are such clients attempting dubious things all
the time for any site, so reporting them to the admin is just noise)
and in the form of that exception gives no user-friendly information
to the admin either.

Now subsequent code in the Authorization handling *does* catch errors
from invalid arguments, so the code certainly isn't consistently
trying to pass such exceptions through to the admin either:

                    try:
                        decoded = b2s(base64.b64decode(challenge))
                    except TypeError:
                        # invalid challenge
                        decoded = ''

This fix arranges for ValueError exceptions to be similarly caught
around the tuple unpacking of both the header contents and the decoded
challenge for Basic auth, so that those exceptions also do not result
in exception emails.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -49,6 +49,8 @@ Fixed:
   Schlatterbeck)
 - issue2550722: avoid errors from selecting "no selection" on
   multilink. (Joseph Myers)
+- issue2550992: avoid errors from invalid Authorization
+  headers. (Joseph Myers)
 
 
 2018-07-13 1.6.0
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -837,14 +837,24 @@ def determine_user(self):
             elif self.env.get('HTTP_AUTHORIZATION', ''):
                 # try handling Basic Auth ourselves
                 auth = self.env['HTTP_AUTHORIZATION']
-                scheme, challenge = auth.split(' ', 1)
+                try:
+                    scheme, challenge = auth.split(' ', 1)
+                except ValueError:
+                    # Invalid header.
+                    scheme = ''
+                    challenge = ''
                 if scheme.lower() == 'basic':
                     try:
                         decoded = b2s(base64.b64decode(challenge))
                     except TypeError:
                         # invalid challenge
                         decoded = ''
-                    username, password = decoded.split(':', 1)
+                    try:
+                        username, password = decoded.split(':', 1)
+                    except ValueError:
+                        # Invalid challenge.
+                        username = ''
+                        password = ''
                     try:
                         # Current user may not be None, otherwise
                         # instatiation of the login action will fail.
