Issue 22946: urllib gives incorrect url after open when using HTTPS

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/67135

classification

Title:	urllib gives incorrect url after open when using HTTPS
Type:	behavior	Stage:	test needed
Components:	Library (Lib)	Versions:	Python 3.7

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	John.McKay, benjamin.peterson, cheryl.sabella
Priority:	normal	Keywords:	patch

Created on 2014-11-26 10:37 by John.McKay, last changed 2022-04-11 14:58 by admin.

Files
File name	Uploaded	Description	Edit
urllib.patch	John.McKay, 2014-11-26 10:37		review

Messages (6)
msg231702 - (view)	Author: John McKay (John.McKay) *	Date: 2014-11-26 10:37
After getting a sucessfull response, _open_generic_http will overwrite the the start of the url to be http: regardless of if it was called from open_http() or open_https(). This causes it to appear as if you were redirected to a non-secure site if you check the url properly after an open request. This is especially problematic after being redirected; it appears you were redirected to an insecure version of the site. Attached is a patch to resolve this. It uses the type, which should be correctly set to http or https based on the calling context.
msg231720 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2014-11-26 16:11
Thank you for the patch. It would be nice to have a test, too.
msg232203 - (view)	Author: Demian Brecht (demian.brecht) *	Date: 2014-12-05 18:36
+1 to the addition of a test. Also, I know it's only related, but it might be nice to also have this fixed in http_error_default: https://hg.python.org/cpython/file/021c1df36910/Lib/urllib/request.py#l2003.
msg232204 - (view)	Author: John McKay (John.McKay) *	Date: 2014-12-05 18:50
For the test can I assume that we have the openssl binary in the path? The other tests just use a static response to emulate the server, but without being able to use s_client it would be quite a bit more effort to fake a working HTTP server with TLS so that it can be tested properly.
msg232205 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2014-12-05 19:52
We have a testing HTTPS server in Lib/test/ssl_servers.py.
msg310535 - (view)	Author: Cheryl Sabella (cheryl.sabella) *	Date: 2018-01-23 22:50
@John.McKay, would you be interested in converting your patch to a Github pull request on the master branch?

History
Date	User	Action	Args
2022-04-11 14:58:10	admin	set	github: 67135
2018-01-23 22:50:49	cheryl.sabella	set	nosy: + cheryl.sabella messages: + msg310535 versions: + Python 3.7, - Python 3.4, Python 3.5
2015-02-13 01:25:43	demian.brecht	set	nosy: - demian.brecht
2014-12-05 19:52:26	benjamin.peterson	set	messages: + msg232205
2014-12-05 18:50:31	John.McKay	set	messages: + msg232204
2014-12-05 18:36:24	demian.brecht	set	nosy: + demian.brecht messages: + msg232203
2014-11-26 16:11:11	benjamin.peterson	set	nosy: + benjamin.peterson messages: + msg231720 stage: test needed
2014-11-26 10:37:27	John.McKay	create