From e19b21ecc547bc3318354802aeadb5d45c65d475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Germ=C3=A1n=20Larra=C3=ADn?= Date: Tue, 3 May 2016 05:24:55 -0300 Subject: [PATCH 1/2] Handle incorrectly padded HTTP basic auth header (#4090) --- rest_framework/authentication.py | 3 ++- tests/test_authentication.py | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py index 63d302bc2..120be6165 100644 --- a/rest_framework/authentication.py +++ b/rest_framework/authentication.py @@ -4,6 +4,7 @@ Provides various authentication policies. from __future__ import unicode_literals import base64 +import binascii from django.contrib.auth import authenticate, get_user_model from django.middleware.csrf import CsrfViewMiddleware @@ -77,7 +78,7 @@ class BasicAuthentication(BaseAuthentication): try: auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':') - except (TypeError, UnicodeDecodeError): + except (TypeError, UnicodeDecodeError, binascii.Error): msg = _('Invalid basic header. Credentials not correctly base64 encoded.') raise exceptions.AuthenticationFailed(msg) diff --git a/tests/test_authentication.py b/tests/test_authentication.py index 70eea3132..9aff7280b 100644 --- a/tests/test_authentication.py +++ b/tests/test_authentication.py @@ -85,6 +85,14 @@ class BasicAuthTests(TestCase): response = self.csrf_client.post('/basic/', {'example': 'example'}, format='json', HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, status.HTTP_200_OK) + def test_regression_handle_bad_base64_basic_auth_header(self): + """Ensure POSTing JSON over basic auth with incorrectly padded Base64 string is handled correctly""" + # regression test for issue in 'rest_framework.authentication.BasicAuthentication.authenticate' + # https://github.com/tomchristie/django-rest-framework/issues/4089 + auth = 'Basic =a=' + response = self.csrf_client.post('/basic/', {'example': 'example'}, format='json', HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) + def test_post_form_failing_basic_auth(self): """Ensure POSTing form over basic auth without correct credentials fails""" response = self.csrf_client.post('/basic/', {'example': 'example'}) From 28c6d96af85dae4678f4cfc5932b0022c3017d1e Mon Sep 17 00:00:00 2001 From: Asif Saifuddin Auvi Date: Tue, 3 May 2016 14:25:27 +0600 Subject: [PATCH 2/2] upgraded minor django version n tox (#4091) --- tox.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tox.ini b/tox.ini index 39742d2b3..8721af601 100644 --- a/tox.ini +++ b/tox.ini @@ -13,8 +13,8 @@ setenv = PYTHONDONTWRITEBYTECODE=1 PYTHONWARNINGS=once deps = - django18: Django==1.8.12 - django19: Django==1.9.5 + django18: Django==1.8.13 + django19: Django==1.9.6 -rrequirements/requirements-testing.txt -rrequirements/requirements-optionals.txt