# HG changeset patch # User Kim Alvefur # Date 1721066545 -7200 # Node ID 46394b327d171e0aed622e465f72d66a05274076 # Parent 667ce80937fa28f8791d7ba2d0ccba1490d43cf0 mod_http_oauth2: Guard against malformed authorization header Prevent error on calling :lower() afterwards diff -r 667ce80937fa -r 46394b327d17 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 15 16:24:20 2024 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 15 20:02:25 2024 +0200 @@ -697,6 +697,7 @@ if not request.headers.authorization then return; end local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); + if not auth_type then return nil; end -- As described in Section 2.3 of [RFC5234], the string Bearer is case-insensitive. -- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-5.1.1