Fix handling of invalid base64 values (#2718)

pallets · Jun 2, 2023 · 4afaf51 · 4afaf51
2 parents d5b454a + c52fa37
commit 4afaf51
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -6,6 +6,7 @@ Version 2.3.5
 Unreleased
 
 -   Python 3.12 compatibility. :issue:`2704`
+-   Fix handling of invalid base64 values in ``Authorization.from_header``. :issue:`2717`
 
 
 Version 2.3.4

diff --git a/src/werkzeug/datastructures/auth.py b/src/werkzeug/datastructures/auth.py
@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import base64
+import binascii
 import typing as t
 import warnings
 from functools import wraps
@@ -107,7 +108,7 @@ def from_header(cls, value: str | None) -> te.Self | None:
         if scheme == "basic":
             try:
                 username, _, password = base64.b64decode(rest).decode().partition(":")
-            except UnicodeError:
+            except (binascii.Error, UnicodeError):
                 return None
 
             return cls(scheme, {"username": username, "password": password})

diff --git a/tests/test_http.py b/tests/test_http.py
@@ -216,6 +216,9 @@ def test_authorization_token_padding(self):
         assert a.type == "token"
         assert a.token == token
 
+    def test_authorization_basic_incorrect_padding(self):
+        assert Authorization.from_header("Basic foo") is None
+
     def test_bad_authorization_header_encoding(self):
         """If the base64 encoded bytes can't be decoded as UTF-8"""
         content = base64.b64encode(b"\xffser:pass").decode()