From fc981a8b5ac75038bc846cc572f9b4bebd0e3117 Mon Sep 17 00:00:00 2001 From: Anthony Deroche Date: Sat, 21 Jan 2017 10:32:35 +0100 Subject: [PATCH] Add check when using another content type than application/x-www-form-urlencoded and return a 415 http error --- mod_authnz_jwt.c | 7 +++++++ tests/test_auth_by_token.py | 2 +- tests/test_jwt.py | 2 ++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/mod_authnz_jwt.c b/mod_authnz_jwt.c index 28e71ee..81c78bb 100644 --- a/mod_authnz_jwt.c +++ b/mod_authnz_jwt.c @@ -693,6 +693,13 @@ static int auth_jwt_login_handler(request_rec *r){ return HTTP_METHOD_NOT_ALLOWED; } + const char* content_type = apr_table_get(r->headers_in, "Content-Type"); + if(!content_type || strcmp(content_type, "application/x-www-form-urlencoded")!=0){ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(55202) + "auth_jwt authn: content type must be x-www-form-urlencoded"); + return HTTP_UNSUPPORTED_MEDIA_TYPE; + } + apr_array_header_t *pairs = NULL; res = ap_parse_form_data(r, NULL, &pairs, -1, FORM_SIZE); if (res != OK) { diff --git a/tests/test_auth_by_token.py b/tests/test_auth_by_token.py index 247fee0..ab68a42 100644 --- a/tests/test_auth_by_token.py +++ b/tests/test_auth_by_token.py @@ -12,7 +12,7 @@ def test_login_with_urlencoded_should_success(self): def test_login_should_with_json_should_fail(self): code, content, headers = self.http_post(self.LOGIN_PATH, {self.USERNAME_FIELD:self.USERNAME, self.PASSWORD_FIELD:self.PASSWORD}, headers={"Content-Type":"application/json"}) - self.assertEqual(code, 401) + self.assertEqual(code, 415) @TestJWT.with_all_algorithms() def test_malformed_token_should_fail(self, alg, key, secured_url): diff --git a/tests/test_jwt.py b/tests/test_jwt.py index fa7bec9..f76be06 100644 --- a/tests/test_jwt.py +++ b/tests/test_jwt.py @@ -67,6 +67,8 @@ def http_get(self, url, token=None): def http_post(self, url, data, token=None, headers=None): if headers is None: headers = {} + if "Content-Type" not in headers: + headers["Content-Type"] = "application/x-www-form-urlencoded" if "Authorization" not in headers and token is not None: headers["Authorization"] = "Bearer %s" % token r = requests.post(url, data=data, headers=headers)