Raise a SynapseError if the authorisation header is missing or malformed

synapse/federation/transport.py

@@ -211,36 +211,44 @@ class TransportLayer(object):
 
         if request.method == "PUT":
             #TODO: Handle other method types? other content types?
-            content_bytes = request.content.read()
+            try:
-            content = json.loads(content_bytes)
+                content_bytes = request.content.read()
-            json_request["content"] = content
+                content = json.loads(content_bytes)
+                json_request["content"] = content
+            except:
+                raise SynapseError(400, "Unable to parse JSON", Codes.BAD_JSON)
 
         def parse_auth_header(header_str):
-            params = auth.split(" ")[1].split(",")
+            try:
-            param_dict = dict(kv.split("=") for kv in params)
+                params = auth.split(" ")[1].split(",")
-            def strip_quotes(value):
+                param_dict = dict(kv.split("=") for kv in params)
-                if value.startswith("\""):
+                def strip_quotes(value):
-                    return value[1:-1]
+                    if value.startswith("\""):
-                else:
+                        return value[1:-1]
-                    return value
+                    else:
-            origin = strip_quotes(param_dict["origin"])
+                        return value
-            key = strip_quotes(param_dict["key"])
+                origin = strip_quotes(param_dict["origin"])
-            sig = strip_quotes(param_dict["sig"])
+                key = strip_quotes(param_dict["key"])
-            return (origin, key, sig)
+                sig = strip_quotes(param_dict["sig"])
+                return (origin, key, sig)
+            except:
+                raise SynapseError(
+                    400, "Malformed Authorization Header", Codes.FORBIDDEN
+                )
 
         auth_headers = request.requestHeaders.getRawHeaders(b"Authorization")
 
-        if not auth_headers:
-            raise SynapseError(
-                401, "Missing Authorization headers", Codes.FORBIDDEN,
-            )
-
         for auth in auth_headers:
             if auth.startswith("X-Matrix"):
                 (origin, key, sig) = parse_auth_header(auth)
                 json_request["origin"] = origin
                 json_request["signatures"].setdefault(origin,{})[key] = sig
 
+        if not json_request["signatures"]:
+            raise SynapseError(
+                401, "Missing Authorization headers", Codes.FORBIDDEN,
+            )
+
         yield self.keyring.verify_json_for_server(origin, json_request)
 
         defer.returnValue((origin, content))

tests/utils.py

@@ -79,6 +79,10 @@ class MockHttpResource(HttpServer):
         mock_request.method = http_method
         mock_request.uri = path
 
+        mock_request.requestHeaders.getRawHeaders.return_value=[
+            "X-Matrix origin=test,key=,sig="
+        ]
+
         # return the right path if the event requires it
         mock_request.path = path