changeset 5935:46394b327d17

mod_http_oauth2: Guard against malformed authorization header Prevent error on calling :lower() afterwards
author Kim Alvefur <zash@zash.se>
date Mon, 15 Jul 2024 20:02:25 +0200
parents 667ce80937fa
children a9c75430cb26
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 15 16:24:20 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 15 20:02:25 2024 +0200
@@ -697,6 +697,7 @@
 	if not request.headers.authorization then return; end
 
 	local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
+	if not auth_type then return nil; end
 
 	-- As described in Section 2.3 of [RFC5234], the string Bearer is case-insensitive.
 	-- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-5.1.1