From 25d80f35f10239b280cf374f60ccb552087fcf44 Mon Sep 17 00:00:00 2001 From: Mark Haines Date: Mon, 13 Oct 2014 15:53:18 +0100 Subject: [PATCH] Raise a SynapseError if the authorisation header is missing or malformed --- synapse/federation/transport.py | 46 +++++++++++++++++++-------------- tests/utils.py | 4 +++ 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/synapse/federation/transport.py b/synapse/federation/transport.py index 93134ee274..7a4c1f6443 100644 --- a/synapse/federation/transport.py +++ b/synapse/federation/transport.py @@ -211,36 +211,44 @@ class TransportLayer(object): if request.method == "PUT": #TODO: Handle other method types? other content types? - content_bytes = request.content.read() - content = json.loads(content_bytes) - json_request["content"] = content + try: + content_bytes = request.content.read() + content = json.loads(content_bytes) + json_request["content"] = content + except: + raise SynapseError(400, "Unable to parse JSON", Codes.BAD_JSON) def parse_auth_header(header_str): - params = auth.split(" ")[1].split(",") - param_dict = dict(kv.split("=") for kv in params) - def strip_quotes(value): - if value.startswith("\""): - return value[1:-1] - else: - return value - origin = strip_quotes(param_dict["origin"]) - key = strip_quotes(param_dict["key"]) - sig = strip_quotes(param_dict["sig"]) - return (origin, key, sig) + try: + params = auth.split(" ")[1].split(",") + param_dict = dict(kv.split("=") for kv in params) + def strip_quotes(value): + if value.startswith("\""): + return value[1:-1] + else: + return value + origin = strip_quotes(param_dict["origin"]) + key = strip_quotes(param_dict["key"]) + sig = strip_quotes(param_dict["sig"]) + return (origin, key, sig) + except: + raise SynapseError( + 400, "Malformed Authorization Header", Codes.FORBIDDEN + ) auth_headers = request.requestHeaders.getRawHeaders(b"Authorization") - if not auth_headers: - raise SynapseError( - 401, "Missing Authorization headers", Codes.FORBIDDEN, - ) - for auth in auth_headers: if auth.startswith("X-Matrix"): (origin, key, sig) = parse_auth_header(auth) json_request["origin"] = origin json_request["signatures"].setdefault(origin,{})[key] = sig + if not json_request["signatures"]: + raise SynapseError( + 401, "Missing Authorization headers", Codes.FORBIDDEN, + ) + yield self.keyring.verify_json_for_server(origin, json_request) defer.returnValue((origin, content)) diff --git a/tests/utils.py b/tests/utils.py index 83dbd4f4d3..60fd6085ac 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -79,6 +79,10 @@ class MockHttpResource(HttpServer): mock_request.method = http_method mock_request.uri = path + mock_request.requestHeaders.getRawHeaders.return_value=[ + "X-Matrix origin=test,key=,sig=" + ] + # return the right path if the event requires it mock_request.path = path