classification
Title: Accepting Badly formed headers in urllib HTTPBasicAuth
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: Alex.Leon, ezio.melotti, orsenthil, petri.lehtinen, python-dev, r.david.murray, shevegen
Priority: normal Keywords: patch

Created on 2011-07-12 13:48 by Alex.Leon, last changed 2012-05-15 16:09 by orsenthil. This issue is now closed.

Files
File name Uploaded Description Edit
issue12541.patch orsenthil, 2011-08-07 08:26
Messages (10)
msg140191 - (view) Author: Alex Leon (Alex.Leon) Date: 2011-07-12 13:48
It looks like some servers using basic authentication don't include quotes around the realm (example https://api.connect2field.com) as required by rfc 2617. urllib wont handle these requests and silently fails, but a simple change to the regex in AbstractBasicAuthHandler from
 
'realm=(["\'])(.*?)\\2', re.I)
to
'realm=(["\']?)(["\']*)\\2', re.I)

would make authentication more flexible.
msg141606 - (view) Author: Alex Leon (Alex.Leon) Date: 2011-08-03 11:46
For some reason a caret went missing in the regex fix.
It should read

'realm=(["\']?)([^"\']*)\\2', re.I)
msg141739 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2011-08-07 08:26
Here is a patch with the test for accepting the badly formed headers. I would like to ensure that change in the regex is fool-proof in order to accomodate this bad behavior, so that we don't break the existing stuff.

It is problem at the server end,I found that browsers thrown warning before accepting that.
msg141750 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2011-08-07 22:16
Perhaps we should issue a warning, then, too?
msg141766 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2011-08-08 10:48
I don't think so. We are just making our regex bit lenient. I am not
sure how we can raise a warning with more lenient regex.

As with any parsing changes, I would like to be careful and that we
don't introduce any regression.
msg141849 - (view) Author: Alex Leon (Alex.Leon) Date: 2011-08-10 06:12
It could have a 2 phase regex match. We match the first one, and if it fails, match the second and produce a warning. 

I think producing a warning is a good idea, as it allows the programmer to know that the implementation of basic auth they are trying to connect to is broken, and might help with future connection attempts. Also there are currently no warnings produced by python if it fails to parse the auth header, and its hard for a developer to know why.
msg141850 - (view) Author: shevegen (shevegen) Date: 2011-08-10 07:49
I think a warning would be quite nice to have.
msg160731 - (view) Author: Roundup Robot (python-dev) Date: 2012-05-15 14:42
New changeset 3e10d0148f79 by Senthil Kumaran in branch '2.7':
Issue #12541: Be lenient with quotes around Realm field with HTTP Basic Authentation in urllib2.
http://hg.python.org/cpython/rev/3e10d0148f79

New changeset bb94fec5c5ab by Senthil Kumaran in branch '3.2':
Issue #12541: Be lenient with quotes around Realm field of HTTP Basic Authentation in urllib2.
http://hg.python.org/cpython/rev/bb94fec5c5ab

New changeset bf20564296aa by Senthil Kumaran in branch 'default':
merge from 3.2 - Issue #12541: Be lenient with quotes around Realm field of HTTP Basic Authentation in urllib2.
http://hg.python.org/cpython/rev/bf20564296aa
msg160739 - (view) Author: Roundup Robot (python-dev) Date: 2012-05-15 16:08
New changeset b82178b07e0f by Senthil Kumaran in branch '2.7':
Issue12541 - Add UserWarning for unquoted realms
http://hg.python.org/cpython/rev/b82178b07e0f

New changeset b5b38bda9fc4 by Senthil Kumaran in branch '3.2':
Issue12541 - Add UserWarning for unquoted realms
http://hg.python.org/cpython/rev/b5b38bda9fc4

New changeset 08fa1a47fa97 by Senthil Kumaran in branch 'default':
Issue12541 - Add UserWarning for unquoted realms
http://hg.python.org/cpython/rev/08fa1a47fa97
msg160740 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2012-05-15 16:09
this issue is taken care. Both in accepting unquoted Realm for basic auth leniently and then raising a UserWarning when encountering this case.
History
Date User Action Args
2012-05-15 16:09:35orsenthilsetstatus: open -> closed
resolution: fixed
messages: + msg160740

stage: needs patch -> resolved
2012-05-15 16:08:25python-devsetmessages: + msg160739
2012-05-15 14:42:27python-devsetnosy: + python-dev
messages: + msg160731
2012-05-06 22:42:45ezio.melottisetstage: needs patch
2011-08-10 07:49:01shevegensetnosy: + shevegen
messages: + msg141850
2011-08-10 06:12:06Alex.Leonsetmessages: + msg141849
2011-08-08 10:48:23orsenthilsetmessages: + msg141766
2011-08-07 22:16:03r.david.murraysetnosy: + r.david.murray
messages: + msg141750
2011-08-07 08:26:58orsenthilsetfiles: + issue12541.patch
keywords: + patch
messages: + msg141739
2011-08-03 11:58:55ezio.melottisetnosy: + ezio.melotti
2011-08-03 11:46:57Alex.Leonsetmessages: + msg141606
2011-07-15 18:52:22petri.lehtinensetnosy: + petri.lehtinen
2011-07-12 14:05:04orsenthilsetassignee: orsenthil

nosy: + orsenthil
2011-07-12 13:48:19Alex.Leoncreate