From 805cee5bda7bfd7f556ec9352ff62ac2806f2d41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6hn?= <christian@ckoehn.de>
Date: Thu, 10 Oct 2024 23:00:41 +0200
Subject: [PATCH] Ignore invalid authorization parameters

---
 CHANGES.rst          |  4 ++--
 src/werkzeug/http.py |  3 +++
 tests/test_http.py   | 17 ++++++++++++++---
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 33b441c79..af8c18a25 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -5,11 +5,11 @@ Version 3.1.0
 
 Unreleased
 
--  Support Cookie CHIPS (Partitioned Cookies). :issue:`2797`
+-   Support Cookie CHIPS (Partitioned Cookies). :issue:`2797`
 -   ``CacheControl.no_transform`` is a boolean when present. ``min_fresh`` is
     ``None`` when not present. Added the ``must_understand`` attribute. Fixed
     some typing issues on cache control. :issue:`2881`
-
+-   Ignore invalid authorization parameters. :issue:`2955`
 
 Version 3.0.4
 -------------
diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
index c86e4750b..c0d66047b 100644
--- a/src/werkzeug/http.py
+++ b/src/werkzeug/http.py
@@ -365,6 +365,9 @@ def parse_dict_header(value: str) -> dict[str, str | None]:
             result[key] = None
             continue
 
+        if not key:
+            continue
+
         value = value.strip()
         encoding: str | None = None
 
diff --git a/tests/test_http.py b/tests/test_http.py
index 11147f63c..9febd0f0c 100644
--- a/tests/test_http.py
+++ b/tests/test_http.py
@@ -107,9 +107,16 @@ def test_set_header(self):
     def test_list_header(self, value, expect):
         assert http.parse_list_header(value) == expect
 
-    def test_dict_header(self):
-        d = http.parse_dict_header('foo="bar baz", blah=42')
-        assert d == {"foo": "bar baz", "blah": "42"}
+    @pytest.mark.parametrize(
+        ("value", "expect"),
+        [
+            ('foo="bar baz", blah=42', {"foo": "bar baz", "blah": "42"}),
+            ("foo, bar=", {"foo": None, "bar": ""}),
+            ("=foo, =", {}),
+        ],
+    )
+    def test_dict_header(self, value, expect):
+        assert http.parse_dict_header(value) == expect
 
     def test_cache_control_header(self):
         cc = http.parse_cache_control_header("max-age=0, no-cache")
@@ -204,6 +211,10 @@ def test_authorization_header(self):
         assert Authorization.from_header(None) is None
         assert Authorization.from_header("foo").type == "foo"
 
+    def test_authorization_ignore_invalid_parameters(self):
+        a = Authorization.from_header("Digest foo, bar=, =qux, =")
+        assert a.to_header() == 'Digest foo, bar=""'
+
     def test_authorization_token_padding(self):
         # padded with =
         token = base64.b64encode(b"This has base64 padding").decode()