replace partition with split in BasicAuthentication (#8790)

* replace partition with split in BasicAuthentication * test if basic auth without provided password fails
2025-11-04 01:47:59 +03:00 · 2022-12-08 04:52:35 +01:00 · 2022-12-08 04:52:35 +01:00 · 1355890f9f
commit 1355890f9f
parent 1fbe16a8d2
2 changed files with 19 additions and 3 deletions
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@ -78,12 +78,12 @@ class BasicAuthentication(BaseAuthentication):
                auth_decoded = base64.b64decode(auth[1]).decode('utf-8')
            except UnicodeDecodeError:
                auth_decoded = base64.b64decode(auth[1]).decode('latin-1')
-            auth_parts = auth_decoded.partition(':')
-        except (TypeError, UnicodeDecodeError, binascii.Error):
+
+            userid, password = auth_decoded.split(':', 1)
+        except (TypeError, ValueError, UnicodeDecodeError, binascii.Error):
            msg = _('Invalid basic header. Credentials not correctly base64 encoded.')
            raise exceptions.AuthenticationFailed(msg)

-        userid, password = auth_parts[0], auth_parts[2]
        return self.authenticate_credentials(userid, password, request)

    def authenticate_credentials(self, userid, password, request=None):
--- a/tests/authentication/test_authentication.py
+++ b/tests/authentication/test_authentication.py
@ -120,6 +120,22 @@ class BasicAuthTests(TestCase):
        )
        assert response.status_code == status.HTTP_200_OK

+    def test_post_json_without_password_failing_basic_auth(self):
+        """Ensure POSTing json without password (even if password is empty string) returns 401"""
+        self.user.set_password("")
+        credentials = ('%s' % (self.username))
+        base64_credentials = base64.b64encode(
+            credentials.encode(HTTP_HEADER_ENCODING)
+        ).decode(HTTP_HEADER_ENCODING)
+        auth = 'Basic %s' % base64_credentials
+        response = self.csrf_client.post(
+            '/basic/',
+            {'example': 'example'},
+            format='json',
+            HTTP_AUTHORIZATION=auth
+        )
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
    def test_regression_handle_bad_base64_basic_auth_header(self):
        """Ensure POSTing JSON over basic auth with incorrectly padded Base64 string is handled correctly"""
        # regression test for issue in 'rest_framework.authentication.BasicAuthentication.authenticate'