ignore invalid authorization parameters

Author: ckoehn

CHANGES.rst

@@ -7,6 +7,7 @@ Unreleased
 
 -   The Watchdog reloader ignores file closed no write events. :issue:`2945`
 -   Logging works with client addresses containing an IPv6 scope :issue:`2952`
+-   Ignore invalid authorization parameters. :issue:`2955`
 
 
 Version 3.0.4

src/werkzeug/http.py

@@ -361,6 +361,10 @@ def parse_dict_header(value: str) -> dict[str, str | None]:
         key, has_value, value = item.partition("=")
         key = key.strip()
 
+        if not key:
+            # =value is not valid
+            continue
+
         if not has_value:
             result[key] = None
             continue

tests/test_http.py

@@ -107,9 +107,16 @@ def test_set_header(self):
     def test_list_header(self, value, expect):
         assert http.parse_list_header(value) == expect
 
-    def test_dict_header(self):
-        d = http.parse_dict_header('foo="bar baz", blah=42')
-        assert d == {"foo": "bar baz", "blah": "42"}
+    @pytest.mark.parametrize(
+        ("value", "expect"),
+        [
+            ('foo="bar baz", blah=42', {"foo": "bar baz", "blah": "42"}),
+            ("foo, bar=", {"foo": None, "bar": ""}),
+            ("=foo, =", {}),
+        ],
+    )
+    def test_dict_header(self, value, expect):
+        assert http.parse_dict_header(value) == expect
 
     def test_cache_control_header(self):
         cc = http.parse_cache_control_header("max-age=0, no-cache")
@@ -204,6 +211,10 @@ def test_authorization_header(self):
         assert Authorization.from_header(None) is None
         assert Authorization.from_header("foo").type == "foo"
 
+    def test_authorization_ignore_invalid_parameters(self):
+        a = Authorization.from_header("Digest foo, bar=, =qux, =")
+        assert a.to_header() == 'Digest foo, bar=""'
+
     def test_authorization_token_padding(self):
         # padded with =
         token = base64.b64encode(b"This has base64 padding").decode()