search

pallets / werkzeug

The comprehensive WSGI web application library.
https://werkzeug.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
6.65k stars 1.73k forks source link

Authorization parameter parsing fails on invalid value #2955

Open ckoehn opened 3 days ago

ckoehn commented 3 days ago

Steps to reproduce

>>> from werkzeug.datastructures import Authorization
>>> Authorization.from_header("Digest =foo")
---------------------------------------------------------------------------
IndexError                                Traceback (most recent call last)
Cell In[2], line 1
----> 1 Authorization.from_header("Digest =foo")

File ~/Downloads/.venv/lib/python3.12/site-packages/werkzeug/datastructures/auth.py:114, in Authorization.from_header(cls, value)
    110     return cls(scheme, {"username": username, "password": password})
    112 if "=" in rest.rstrip("="):
    113     # = that is not trailing, this is parameters.
--> 114     return cls(scheme, parse_dict_header(rest), None)
    116 # No = or only trailing =, this is a token.
    117 return cls(scheme, None, rest)

File ~/Downloads/.venv/lib/python3.12/site-packages/werkzeug/http.py:371, in parse_dict_header(value)
    368 value = value.strip()
    369 encoding: str | None = None
--> 371 if key[-1] == "*":
    372     # key*=charset''value becomes key=value, where value is percent encoded
    373     # adapted from parse_options_header, without the continuation handling
    374     key = key[:-1]
    375     match = _charset_value_re.match(value)

IndexError: string index out of range

Expected behavior

Gracefully handle invalid inputs by skipping them

Environment

davidism commented 3 days ago

Makes sense. I think key[-1:] will fix it.