From c730e93c7f44247aa9a7a43fbbaf804b418dfbbe Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Thu, 19 Apr 2018 20:54:51 +0200
Subject: [PATCH] Better authorization error handling

---
 www/micropub.php | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/www/micropub.php b/www/micropub.php
index eff6ea7..c0c01b4 100644
--- a/www/micropub.php
+++ b/www/micropub.php
@@ -111,9 +111,13 @@ function handleCreate($json, $token)
 
 function getTokenFromHeader()
 {
-    if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+    if (isset($_SERVER['HTTP_AUTHORIZATION'])
+        && $_SERVER['HTTP_AUTHORIZATION'] != ''
+    ) {
         $auth = $_SERVER['HTTP_AUTHORIZATION'];
-    } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+    } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])
+        && $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] != ''
+    ) {
         //php-cgi has it there
         $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
     } else {
@@ -122,11 +126,17 @@ function getTokenFromHeader()
             'Authorization HTTP header missing'
         );
     }
+    if (strpos($auth, ' ') === false) {
+        mpError(
+            'HTTP/1.0 403 Forbidden', 'forbidden',
+            'Authorization header must start with "Bearer "'
+        );
+    }
     list($bearer, $token) = explode(' ', $auth, 2);
     if ($bearer !== 'Bearer') {
         mpError(
             'HTTP/1.0 403 Forbidden', 'forbidden',
-            'Authorization header must start with "Bearer"'
+            'Authorization header must start with "Bearer "'
         );
     }
     return trim($token);
-- 
2.30.2