Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input

2025-11-04 09:57:55 +03:00 · 2011-04-04 18:40:18 -07:00 · 2011-04-04 18:40:18 -07:00 · bbab859ae1
commit bbab859ae1
parent 39c0c07786
1 changed files with 12 additions and 1 deletions
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@ -58,10 +58,21 @@ class BaseAuthenticator(object):
 class BasicAuthenticator(BaseAuthenticator):
    """Use HTTP Basic authentication"""
    def authenticate(self, request):
+        from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
+        
        if 'HTTP_AUTHORIZATION' in request.META:
            auth = request.META['HTTP_AUTHORIZATION'].split()
            if len(auth) == 2 and auth[0].lower() == "basic":
-                uname, passwd = base64.b64decode(auth[1]).split(':')
+                try:
+                    auth_parts = base64.b64decode(auth[1]).partition(':')
+                except TypeError:
+                    return None
+                
+                try:
+                    uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
+                except DjangoUnicodeDecodeError:
+                    return None
+                    
                user = authenticate(username=uname, password=passwd)
                if user is not None and user.is_active:
                    return user