Verify that the authorization header has 2 parts
authorChristian Weiske <cweiske@cweiske.de>
Thu, 22 Mar 2018 20:20:51 +0000 (21:20 +0100)
committerChristian Weiske <cweiske@cweiske.de>
Thu, 22 Mar 2018 20:20:51 +0000 (21:20 +0100)
Resolves: https://github.com/cweiske/anoweco/issues/4

www/token.php

index abe14ed..6a7fa81 100644 (file)
@@ -47,7 +47,13 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
     } else {
         error('Authorization HTTP header missing');
     }
-    list($bearer, $token) = explode(' ', $auth, 2);
+
+    $parts = explode(' ', $auth, 2);
+    if (count($parts) != 2) {
+        error('Authorization header must container "Bearer" and the token');
+    }
+
+    list($bearer, $token) = $parts;
     if ($bearer !== 'Bearer') {
         error('Authorization header must start with "Bearer"');
     }