Fix unquote IndexError on empty string input

unquote() in _utils.py accesses value[0] and value[-1] without checking
string length first. This raises IndexError when called with an empty
string, which can occur when parsing Digest auth WWW-Authenticate
headers containing parameters with empty unquoted values (e.g. realm=
instead of realm="").

Added a len(value) >= 2 guard and comprehensive test coverage for
empty strings, single characters, quoted values, and unquoted values.

Note: encode#3771 addresses the same issue. This PR adds the regression tests
that are missing there. Happy to close in favor of that PR if tests are
added.

Powered by codepo8 — tribal knowledge extraction identified this as a
guard-level issue: "Check string length before accessing index 0 in
unquote() utilities because empty string inputs cause an IndexError."

Author: hrv-dys

httpx/_utils.py

@@ -89,7 +89,9 @@ def to_bytes_or_str(value: str, match_type_of: typing.AnyStr) -> typing.AnyStr:
 
 
 def unquote(value: str) -> str:
-    return value[1:-1] if value[0] == value[-1] == '"' else value
+    if len(value) >= 2 and value[0] == value[-1] == '"':
+        return value[1:-1]
+    return value
 
 
 def peek_filelike_length(stream: typing.Any) -> int | None:

tests/test_utils.py

@@ -6,7 +6,7 @@
 import pytest
 
 import httpx
-from httpx._utils import URLPattern, get_environment_proxies
+from httpx._utils import URLPattern, get_environment_proxies, unquote
 
 
 @pytest.mark.parametrize(
@@ -148,3 +148,19 @@ def test_pattern_priority():
         URLPattern("http://"),
         URLPattern("all://"),
     ]
+
+
+@pytest.mark.parametrize(
+    ["value", "expected"],
+    [
+        ('""', ""),
+        ('"hello"', "hello"),
+        ('"hello world"', "hello world"),
+        ("hello", "hello"),
+        ("", ""),
+        ('"', '"'),
+        ("noquotes", "noquotes"),
+    ],
+)
+def test_unquote(value, expected):
+    assert unquote(value) == expected