mirror of
https://github.com/encode/django-rest-framework.git
synced 2024-11-21 17:16:47 +03:00
replace partition with split in BasicAuthentication (#8790)
* replace partition with split in BasicAuthentication * test if basic auth without provided password fails
This commit is contained in:
parent
1fbe16a8d2
commit
1355890f9f
|
@ -78,12 +78,12 @@ class BasicAuthentication(BaseAuthentication):
|
|||
auth_decoded = base64.b64decode(auth[1]).decode('utf-8')
|
||||
except UnicodeDecodeError:
|
||||
auth_decoded = base64.b64decode(auth[1]).decode('latin-1')
|
||||
auth_parts = auth_decoded.partition(':')
|
||||
except (TypeError, UnicodeDecodeError, binascii.Error):
|
||||
|
||||
userid, password = auth_decoded.split(':', 1)
|
||||
except (TypeError, ValueError, UnicodeDecodeError, binascii.Error):
|
||||
msg = _('Invalid basic header. Credentials not correctly base64 encoded.')
|
||||
raise exceptions.AuthenticationFailed(msg)
|
||||
|
||||
userid, password = auth_parts[0], auth_parts[2]
|
||||
return self.authenticate_credentials(userid, password, request)
|
||||
|
||||
def authenticate_credentials(self, userid, password, request=None):
|
||||
|
|
|
@ -120,6 +120,22 @@ class BasicAuthTests(TestCase):
|
|||
)
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
|
||||
def test_post_json_without_password_failing_basic_auth(self):
|
||||
"""Ensure POSTing json without password (even if password is empty string) returns 401"""
|
||||
self.user.set_password("")
|
||||
credentials = ('%s' % (self.username))
|
||||
base64_credentials = base64.b64encode(
|
||||
credentials.encode(HTTP_HEADER_ENCODING)
|
||||
).decode(HTTP_HEADER_ENCODING)
|
||||
auth = 'Basic %s' % base64_credentials
|
||||
response = self.csrf_client.post(
|
||||
'/basic/',
|
||||
{'example': 'example'},
|
||||
format='json',
|
||||
HTTP_AUTHORIZATION=auth
|
||||
)
|
||||
assert response.status_code == status.HTTP_401_UNAUTHORIZED
|
||||
|
||||
def test_regression_handle_bad_base64_basic_auth_header(self):
|
||||
"""Ensure POSTing JSON over basic auth with incorrectly padded Base64 string is handled correctly"""
|
||||
# regression test for issue in 'rest_framework.authentication.BasicAuthentication.authenticate'
|
||||
|
|
Loading…
Reference in New Issue
Block a user