classification
Title: urrlib2 digest authentication problems
Type: behavior Stage: test needed
Components: Versions: Python 3.1, Python 3.2, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: encukou, exarkun, orsenthil
Priority: normal Keywords: easy, patch

Created on 2009-02-16 23:51 by encukou, last changed 2014-02-03 19:22 by BreamoreBoy.

Files
File name Uploaded Description Edit
python-urllib2.patch encukou, 2009-02-16 23:51
Messages (3)
msg82284 - (view) Author: Petr Viktorin (encukou) * Date: 2009-02-16 23:51
I introduced Python to my dad, and the first thing he did with it was to
try to connect to a proprietary HTTP-based server, which uses Digest
authentication. It looks like urllib2's Digest support isn't well
tested. So, after not much more than a "Hello World", he ended up
patching urrlib2 (and learning a lot more about Python than he would
have)...

Anyways, here are the problems:

- Currently, AbstractBasicAuthHandler and AbstractDigestAuthHandler each
a different method to find out whether they should kick in. This matters
when the server supports both methods, and sends out two authentication
headers. Basic uses a regexp that matches the last haeder, and Digest
looks at the first one. So, if the server happens to support both, and
sends the digest header after the basic one, each of the handlers
assumes the other one should handle it and none does.
The fix in the patch is crude, but it should work better than now.

- nonce_count should be reset when the server issues a new nonce
(See RFC 2617, page 12, nonce-count). So, the nonce value should be
stored and nonce_count should be reset if it doesn't match

- Added a max_attempts attribute and set it to 2 by default (instead of
5). Two may or may not work better in general, but it should probably be
configurable. This particular change is not too critical, obviously.

- The HTTPError returned from the digest handler is not a file-like
object, due to http_error_auth_reqed not taking a "fp" argument. The
patch fixes that and the two calls to it.

Credit Libor Viktorin if some of the patch makes it.
msg109886 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2010-07-10 16:28
To quote msg82284. "The fix in the patch is crude, but it should work better than now."  Would this be acceptable?
msg109887 - (view) Author: Jean-Paul Calderone (exarkun) * (Python committer) Date: 2010-07-10 16:42
Some unit tests which demonstrate the present non-working behavior and the correctness of the fix would help a lot.
History
Date User Action Args
2014-02-03 19:22:07BreamoreBoysetnosy: - BreamoreBoy
2010-07-10 16:44:39orsenthilsetassignee: orsenthil
2010-07-10 16:42:33exarkunsetnosy: + exarkun
messages: + msg109887
2010-07-10 16:28:54BreamoreBoysetnosy: + BreamoreBoy, orsenthil

messages: + msg109886
versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6
2009-04-22 14:41:21ajaksu2setpriority: normal
keywords: + easy
type: behavior
stage: test needed
2009-02-16 23:51:38encukoucreate