The HTTP spec specifies that the 401 (Unauthorized) response can be accompanied by multiple challenges, either as separate WWW-Authenticate headers or in a single WWW-Authenticate header separated by commas. The client should always pick the strongest supported which in the case of urllib is "digest". Unknown challenge types (for urllib that's anything but "basic" and "digest") should be ignored as long as there is a known one as well.

This is my first patch submission to cpython so please do point out anything I've done wrong! I'd like do more work on cpython so best to nip any bad habits in the bud!

In this patch I've re-written the parsing code to support this. I've tried to re-use existing code as much as possible, so I've based the new parser on the existing parse_http_list which I had to extend so that it can be used to parse single quoted strings. These single quoted strings are not valid for the HTTP spec but apparently they do appear in the wild and the existing implementation allowed them so I've continued to allow them. I've also kept the existing behaviour with regards to unquoted realm values, a warning is raised but otherwise they are allowed. The requirement of raising the warning added a slightly awkward bit to the code, but I assumed there was a good reason for that warning being there so I kept it in.

I should mention, this fixes the same issue mentioned in #13323 but more comprehensively and for python 3 (the old issue refers to urllib2 in python2).

I'm also affected by this. Could someone please apply the patch or provide some reason why it could not be applied?