Handle a case in the authorization header where there's garbage (non-keypairs) after the method name.

ahknight · ahknight · commit 99a48f57b51a · 2014-07-02T17:41:39.000-05:00
diff --git a/httpsig/utils.py b/httpsig/utils.py
@@ -71,14 +71,16 @@ def parse_authorization_header(header):
             fields = parse_http_list(auth_value)
         
             for item in fields:
-                # Split on the first '=' only.
-                key, value = item.split('=', 1)
+                # Only include keypairs.
+                if '=' in item:
+                    # Split on the first '=' only.
+                    key, value = item.split('=', 1)
             
-                # Unquote values, if quoted.
-                if value[0] == '"':
-                    value = value[1:-1]
+                    # Unquote values, if quoted.
+                    if value[0] == '"':
+                        value = value[1:-1]
                 
-                values[key] = value
+                    values[key] = value
     
     # ("Signature", {"headers": "date", "algorithm": "hmac-sha256", ... })
     return (auth[0], CaseInsensitiveDict(values))
diff --git a/httpsig/verify.py b/httpsig/verify.py
@@ -47,6 +47,16 @@ class HeaderVerifier(Verifier):
     Verifies an HTTP signature from given headers.
     """
     def __init__(self, headers, secret, required_headers=None, method=None, path=None, host=None):
+        """
+        Instantiate a HeaderVerifier object.
+        
+        :param headers:             A dictionary of headers from the HTTP request.
+        :param secret:              The HMAC secret or RSA *public* key.
+        :param required_headers:    Optional. A list of headers required to be present to validate, even if the signature is otherwise valid.  Defaults to ['date'].
+        :param method:              Optional. The HTTP method used in the request (eg. "GET"). Required for the '(request-line)' header.
+        :param path:                Optional. The HTTP path requested, exactly as sent (including query arguments and fragments). Required for the '(request-line)' header.
+        :param host:                Optional. The value to use for the Host header, if not supplied in :param:headers.
+        """
         required_headers = required_headers or ['date']
         
         auth = parse_authorization_header(headers['authorization'])
@@ -64,6 +74,12 @@ def __init__(self, headers, secret, required_headers=None, method=None, path=Non
         super(HeaderVerifier, self).__init__(secret, algorithm=self.auth_dict['algorithm'])
 
     def verify(self):
+        """
+        Verify the headers based on the arguments passed at creation and current properties.
+        
+        Raises an Exception if a required header (:param:required_headers) is not found in the signature.
+        Returns True or False.
+        """
         auth_headers = self.auth_dict.get('headers', 'date').split(' ')
         
         if len(set(self.required_headers) - set(auth_headers)) > 0:
