From c52fa3770e732e06121dae8a2d1a0679056380d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6hn?= Date: Fri, 2 Jun 2023 20:51:06 +0000 Subject: [PATCH] Fix handling of invalid base64 values --- CHANGES.rst | 1 + src/werkzeug/datastructures/auth.py | 3 ++- tests/test_http.py | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index 7c44e1e77..395ae9ada 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -6,6 +6,7 @@ Version 2.3.5 Unreleased - Python 3.12 compatibility. :issue:`2704` +- Fix handling of invalid base64 values in ``Authorization.from_header``. :issue:`2717` Version 2.3.4 diff --git a/src/werkzeug/datastructures/auth.py b/src/werkzeug/datastructures/auth.py index 709955c46..a88f8a3c3 100644 --- a/src/werkzeug/datastructures/auth.py +++ b/src/werkzeug/datastructures/auth.py @@ -1,6 +1,7 @@ from __future__ import annotations import base64 +import binascii import typing as t import warnings from functools import wraps @@ -107,7 +108,7 @@ def from_header(cls, value: str | None) -> te.Self | None: if scheme == "basic": try: username, _, password = base64.b64decode(rest).decode().partition(":") - except UnicodeError: + except (binascii.Error, UnicodeError): return None return cls(scheme, {"username": username, "password": password}) diff --git a/tests/test_http.py b/tests/test_http.py index 7d76775ba..65febf961 100644 --- a/tests/test_http.py +++ b/tests/test_http.py @@ -216,6 +216,9 @@ def test_authorization_token_padding(self): assert a.type == "token" assert a.token == token + def test_authorization_basic_incorrect_padding(self): + assert Authorization.from_header("Basic foo") is None + def test_bad_authorization_header_encoding(self): """If the base64 encoded bytes can't be decoded as UTF-8""" content = base64.b64encode(b"\xffser:pass").decode()