Raise a SynapseError if the authorisation header is missing or malformed

2024-05-20 12:33:46 +02:00 · 2014-10-13 15:53:18 +01:00 · 2014-10-13 15:53:18 +01:00 · 25d80f35f1
parent 75e517a2da
commit 25d80f35f1
2 changed files with 31 additions and 19 deletions
--- a/synapse/federation/transport.py
+++ b/synapse/federation/transport.py
@ -211,36 +211,44 @@ class TransportLayer(object):

        if request.method == "PUT":
            #TODO: Handle other method types? other content types?
-            content_bytes = request.content.read()
-            content = json.loads(content_bytes)
-            json_request["content"] = content
+            try:
+                content_bytes = request.content.read()
+                content = json.loads(content_bytes)
+                json_request["content"] = content
+            except:
+                raise SynapseError(400, "Unable to parse JSON", Codes.BAD_JSON)

        def parse_auth_header(header_str):
-            params = auth.split(" ")[1].split(",")
-            param_dict = dict(kv.split("=") for kv in params)
-            def strip_quotes(value):
-                if value.startswith("\""):
-                    return value[1:-1]
-                else:
-                    return value
-            origin = strip_quotes(param_dict["origin"])
-            key = strip_quotes(param_dict["key"])
-            sig = strip_quotes(param_dict["sig"])
-            return (origin, key, sig)
+            try:
+                params = auth.split(" ")[1].split(",")
+                param_dict = dict(kv.split("=") for kv in params)
+                def strip_quotes(value):
+                    if value.startswith("\""):
+                        return value[1:-1]
+                    else:
+                        return value
+                origin = strip_quotes(param_dict["origin"])
+                key = strip_quotes(param_dict["key"])
+                sig = strip_quotes(param_dict["sig"])
+                return (origin, key, sig)
+            except:
+                raise SynapseError(
+                    400, "Malformed Authorization Header", Codes.FORBIDDEN
+                )

        auth_headers = request.requestHeaders.getRawHeaders(b"Authorization")

-        if not auth_headers:
-            raise SynapseError(
-                401, "Missing Authorization headers", Codes.FORBIDDEN,
-            )
-
        for auth in auth_headers:
            if auth.startswith("X-Matrix"):
                (origin, key, sig) = parse_auth_header(auth)
                json_request["origin"] = origin
                json_request["signatures"].setdefault(origin,{})[key] = sig

+        if not json_request["signatures"]:
+            raise SynapseError(
+                401, "Missing Authorization headers", Codes.FORBIDDEN,
+            )
+
        yield self.keyring.verify_json_for_server(origin, json_request)

        defer.returnValue((origin, content))
--- a/tests/utils.py
+++ b/tests/utils.py
@ -79,6 +79,10 @@ class MockHttpResource(HttpServer):
        mock_request.method = http_method
        mock_request.uri = path

+        mock_request.requestHeaders.getRawHeaders.return_value=[
+            "X-Matrix origin=test,key=,sig="
+        ]
+
        # return the right path if the event requires it
        mock_request.path = path