HTTP 500 if Authorization header contains garbage
21 views
Skip to first unread message
Richard Rodger
Jun 7, 2011, 9:56:51 PM6/7/11
to ThriftDB
Just a little heads up:
I accidentally sent "Authorization: null" - and instead of getting a
400 Bad Request back I got a 500
Richard
I accidentally sent "Authorization: null" - and instead of getting a
400 Bad Request back I got a 500
Richard
andres
Jun 7, 2011, 10:01:20 PM6/7/11
to ThriftDB
Thanks for the bug report! Would you mind being more specific? What
was the url endpoint?
Andres
was the url endpoint?
Andres
Richard Rodger
Jun 7, 2011, 10:16:20 PM6/7/11
to thri...@googlegroups.com
I was testing:
GET: http://api.thriftdb.com/test_bucketx
note the 'x' :)
Richard Rodger
CEO, Chartaca.com
ric...@chartaca.com
@rjrodger
+353 87 6827135
Andres Morey
Jun 7, 2011, 10:50:48 PM6/7/11
to thri...@googlegroups.com
This is what I get:
$ curl -X GET "http://api.thriftdb.com/test_bucketx"
Andres
{
"__class__": "ClientErrorResponse",
"message": "Bucket not found: 'test_bucketx'"
}
I get a similar response when I add different combinations of null username/password. Are you getting something different?
Richard Rodger
Jun 8, 2011, 5:28:51 AM6/8/11
to thri...@googlegroups.com
Try:
curl -X GET -H "Authorization: null" http://api.thriftdb.com/test_bucketx
I'd guess your base64 parser is not a happy camper, or the missing "Basic " prefix causes an issue.
I'm writing a node.js library, so I need to be able to tell the difference between requests rejected because they are malformed, versus server issues
Richard
andres
Jun 9, 2011, 2:32:57 PM6/9/11
to ThriftDB
Hi Richard,
I added some validation checks to the authentication handler. Your
request will now return a 400 error with this message:
$ curl -X GET -H "Authorization: null" http://api.thriftdb.com/test_bucketx
{
"__class__": "ClientErrorResponse",
"message": "Validation error: Authorization header expects format
\"Basic username:password\""
}
Andres
On Jun 8, 5:28 am, Richard Rodger <rich...@chartaca.com> wrote:
> Try:
>
> curl -X GET -H "Authorization: null"http://api.thriftdb.com/test_bucketx
>
> I'd guess your base64 parser is not a happy camper, or the missing "Basic " prefix causes an issue.
>
> I'm writing a node.js library, so I need to be able to tell the difference between requests rejected because they are malformed, versus server issues
>
> Richard
>
> On 8 Jun 2011, at 03:50, Andres Morey wrote:
>
>
>
>
>
>
>
>
>
> > This is what I get:
>
> > $ curl -X GET "http://api.thriftdb.com/test_bucketx"
> > {
> > "__class__": "ClientErrorResponse",
> > "message": "Bucket not found: 'test_bucketx'"
> > }
>
> > I get a similar response when I add different combinations of null username/password. Are you getting something different?
>
> > Andres
>
> rich...@chartaca.com
> @rjrodger
> +353 87 6827135
I added some validation checks to the authentication handler. Your
request will now return a 400 error with this message:
$ curl -X GET -H "Authorization: null" http://api.thriftdb.com/test_bucketx
{
"__class__": "ClientErrorResponse",
"message": "Validation error: Authorization header expects format
\"Basic username:password\""
}
Andres
On Jun 8, 5:28 am, Richard Rodger <rich...@chartaca.com> wrote:
> Try:
>
> curl -X GET -H "Authorization: null"http://api.thriftdb.com/test_bucketx
>
> I'd guess your base64 parser is not a happy camper, or the missing "Basic " prefix causes an issue.
>
> I'm writing a node.js library, so I need to be able to tell the difference between requests rejected because they are malformed, versus server issues
>
> Richard
>
> On 8 Jun 2011, at 03:50, Andres Morey wrote:
>
>
>
>
>
>
>
>
>
> > This is what I get:
>
> > $ curl -X GET "http://api.thriftdb.com/test_bucketx"
> > {
> > "__class__": "ClientErrorResponse",
> > "message": "Bucket not found: 'test_bucketx'"
> > }
>
> > I get a similar response when I add different combinations of null username/password. Are you getting something different?
>
> > Andres
>
> > On Tue, Jun 7, 2011 at 10:16 PM, Richard Rodger <rich...@chartaca.com> wrote:
> > I was testing:
>
> > GET:http://api.thriftdb.com/test_bucketx
>
> > note the 'x' :)
>
> > On 8 Jun 2011, at 03:01, andres wrote:
>
> > > Thanks for the bug report! Would you mind being more specific? What
> > > was the url endpoint?
>
> > > Andres
>
> > > On Jun 7, 9:56 pm, Richard Rodger <rich...@chartaca.com> wrote:
> > >> Just a little heads up:
>
> > >> I accidentally sent "Authorization: null" - and instead of getting a
> > >> 400 Bad Request back I got a 500
>
> > >> Richard
>
> > Richard Rodger
> > CEO, Chartaca.com
> > rich...@chartaca.com
> > I was testing:
>
> > GET:http://api.thriftdb.com/test_bucketx
>
> > note the 'x' :)
>
> > On 8 Jun 2011, at 03:01, andres wrote:
>
> > > Thanks for the bug report! Would you mind being more specific? What
> > > was the url endpoint?
>
> > > Andres
>
> > > On Jun 7, 9:56 pm, Richard Rodger <rich...@chartaca.com> wrote:
> > >> Just a little heads up:
>
> > >> I accidentally sent "Authorization: null" - and instead of getting a
> > >> 400 Bad Request back I got a 500
>
> > >> Richard
>
> > Richard Rodger
> > CEO, Chartaca.com
> rich...@chartaca.com
> @rjrodger
> +353 87 6827135
Reply all
Reply to author
Forward
0 new messages