Better authorization error handling
authorChristian Weiske <cweiske@cweiske.de>
Thu, 19 Apr 2018 18:54:51 +0000 (20:54 +0200)
committerChristian Weiske <cweiske@cweiske.de>
Thu, 19 Apr 2018 18:54:51 +0000 (20:54 +0200)
www/micropub.php

index eff6ea7..c0c01b4 100644 (file)
@@ -111,9 +111,13 @@ function handleCreate($json, $token)
 
 function getTokenFromHeader()
 {
-    if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+    if (isset($_SERVER['HTTP_AUTHORIZATION'])
+        && $_SERVER['HTTP_AUTHORIZATION'] != ''
+    ) {
         $auth = $_SERVER['HTTP_AUTHORIZATION'];
-    } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+    } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])
+        && $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] != ''
+    ) {
         //php-cgi has it there
         $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
     } else {
@@ -122,11 +126,17 @@ function getTokenFromHeader()
             'Authorization HTTP header missing'
         );
     }
+    if (strpos($auth, ' ') === false) {
+        mpError(
+            'HTTP/1.0 403 Forbidden', 'forbidden',
+            'Authorization header must start with "Bearer "'
+        );
+    }
     list($bearer, $token) = explode(' ', $auth, 2);
     if ($bearer !== 'Bearer') {
         mpError(
             'HTTP/1.0 403 Forbidden', 'forbidden',
-            'Authorization header must start with "Bearer"'
+            'Authorization header must start with "Bearer "'
         );
     }
     return trim($token);