terminalmage · terminalmage · Aug 28, 2018 · Aug 27, 2018
diff --git a/salt/netapi/rest_cherrypy/app.py b/salt/netapi/rest_cherrypy/app.py
@@ -1930,7 +1930,7 @@ def _is_valid_token(self, auth_token):
         # than hex, this will raise a ValueError.
         try:
             int(auth_token, 16)
-        except ValueError:
+        except (TypeError, ValueError):
             return False
 
         # First check if the given token is in our session table; if so it's a

diff --git a/tests/integration/netapi/rest_cherrypy/app_test.py b/tests/integration/netapi/rest_cherrypy/app_test.py
@@ -2,6 +2,7 @@
 
 # Import python libs
 from __future__ import absolute_import
+import os
 import json
 
 # Import salttesting libs
@@ -172,6 +173,32 @@ def test_run_wrong_token(self):
         })
         assert response.status == '401 Unauthorized'
 
+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
 
 class TestWebhookDisableAuth(BaseRestCherryPyTest):
     __opts__ = {