M #-: treat Sunstone authorization header exceptions (#2616)

2025-03-28 14:50:08 +03:00 · 2023-05-19 11:33:42 +02:00 · 2023-05-19 11:33:42 +02:00 · b01536603d
commit b01536603d
parent 4204b5581a
1 changed files with 21 additions and 12 deletions
--- a/src/sunstone/sunstone-server.rb
+++ b/src/sunstone/sunstone-server.rb
@ -563,21 +563,30 @@ helpers do
        session[:federation_mode] = active_zone_configuration['FEDERATION/MODE'].upcase
        session[:mode] = $conf[:mode]

-        if RUBY_VERSION > '2.0.0'
-          auth = request.env['HTTP_AUTHORIZATION'].match(/(?<basic>\w+) (?<pass>(\w|\W)+)/)
-          session[:auth] = auth[:pass]
+        begin
+            http_authorization_header = request.env['HTTP_AUTHORIZATION']
+        rescue StandardError => e
+            logger.error { 'Authorization header not received' }
        else
-          auth = request.env['HTTP_AUTHORIZATION'].split(" ")
-          if auth[0] && auth[0].downcase === 'basic'
-            session[:auth] = auth[1]
-          else
-            logger.info { 'Unauthorized login attempt' }
-            return [401, '']
-          end
+            begin
+                if RUBY_VERSION > '2.0.0'
+                    auth = http_authorization_header.match(/(?<basic>\w+) (?<pass>(\w|\W)+)/)
+                    type, pass = auth[:basic], auth[:pass]
+                else
+                    type, pass = http_authorization_header.split(' ')
+                end
+            rescue StandardError => e
+                logger.error { 'Invalid authorization header format' }
+            else
+                if type && type.downcase == 'basic'
+                    session[:auth] = pass
+                else
+                    logger.info { 'Unauthorized login attempt or invalid authorization header' }
+                    return [401, '']
+                end
+            end
        end

-
-
        #get firedge JWT
        session[:fireedge_token] = get_fireedge_token(two_factor_auth_token)