Fail authentication on bad authorization base64 encoding

Closes #591

Author: d1p

oauth2_provider/oauth2_validators.py

@@ -96,7 +96,11 @@ def _authenticate_basic_auth(self, request):
             )
             return False
 
-        client_id, client_secret = map(unquote_plus, auth_string_decoded.split(":", 1))
+        try:
+            client_id, client_secret = map(unquote_plus, auth_string_decoded.split(":", 1))
+        except ValueError:
+            log.debug("Failed basic auth, Invalid base64 encoding.")
+            return False
 
         if self._load_application(client_id, request) is None:
             log.debug("Failed basic auth: Application %s does not exist" % client_id)

tests/test_oauth2_validators.py

@@ -106,6 +106,12 @@ def test_authenticate_basic_auth_not_b64_auth_string(self):
         self.request.headers = {"HTTP_AUTHORIZATION": "Basic not_base64"}
         self.assertFalse(self.validator._authenticate_basic_auth(self.request))
 
+    def test_authenticate_basic_auth_invalid_b64_string(self):
+        self.request.encoding = "utf-8"
+        # client_id:wrong_secret
+        self.request.headers = {"HTTP_AUTHORIZATION": "Basic ZHVtbXk=:ZHVtbXk=\n"}
+        self.assertFalse(self.validator._authenticate_basic_auth(self.request))
+
     def test_authenticate_basic_auth_not_utf8(self):
         self.request.encoding = "utf-8"
         # b64decode("test") will become b"\xb5\xeb-", it can"t be decoded as utf-8