Skip to content

Commit 0159fe2

Browse files
committed
fix: match WWW-Authenticate params exactly
1 parent e942d00 commit 0159fe2

2 files changed

Lines changed: 13 additions & 2 deletions

File tree

src/mcp/client/auth/utils.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,8 @@ def extract_field_from_www_auth(response: Response, field_name: str) -> str | No
2626
if not www_auth_header:
2727
return None
2828

29-
# Pattern matches: field_name="value" or field_name=value (unquoted)
30-
pattern = rf'{field_name}=(?:"([^"]+)"|([^\s,]+))'
29+
# Pattern matches a complete auth-param name: field_name="value" or field_name=value (unquoted).
30+
pattern = rf'(?:^|[\s,]){re.escape(field_name)}\s*=\s*(?:"([^"]+)"|([^\s,]+))'
3131
match = re.search(pattern, www_auth_header)
3232

3333
if match:

tests/client/test_auth.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1997,6 +1997,11 @@ class TestWWWAuthenticate:
19971997
"scope",
19981998
"admin:write resource:read",
19991999
),
2000+
(
2001+
'Bearer error_scope="decoy", scope="read write"',
2002+
"scope",
2003+
"read write",
2004+
),
20002005
(
20012006
'Bearer realm="api", resource_metadata="https://api.example.com/.well-known/oauth-protected-resource", '
20022007
'error="insufficient_scope"',
@@ -2047,6 +2052,12 @@ def test_extract_field_from_www_auth_valid_cases(
20472052
# Header without requested field
20482053
('Bearer realm="api", error="insufficient_scope"', "scope", "no scope parameter"),
20492054
('Bearer realm="api", scope="read write"', "resource_metadata", "no resource_metadata parameter"),
2055+
('Bearer custom_scope="leaked"', "scope", "substring auth-param should not match scope"),
2056+
(
2057+
'Bearer x_resource_metadata="https://decoy.example.com"',
2058+
"resource_metadata",
2059+
"substring auth-param should not match resource_metadata",
2060+
),
20502061
# Malformed field (empty value)
20512062
("Bearer scope=", "scope", "malformed scope parameter"),
20522063
("Bearer resource_metadata=", "resource_metadata", "malformed resource_metadata parameter"),

0 commit comments

Comments
 (0)