Message 149915 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	joneskoo
Recipients	carljm, joneskoo, orsenthil
Date	2011-12-20.15:02:44
SpamBayes Score	8.263976e-06
Marked as misclassified	No
Message-id	<1324393425.24.0.243026081887.issue13642@psf.upfronthosting.co.za>
In-reply-to

Content
Reproduction: >>> import urllib >>> urllib.urlopen("https://example.com/") Enter username for Test Site at example.com: user Enter password for user in Test Site at example.com: top secret Enter username for Test Site at example.com: # If the correct password contains spaces, nothing will be accepted. The problem is that the password in basic auth is URI quoted and then base64 encoded. The password should not be quoted. RFC 2617: userid = <TEXT excluding ":"> password = TEXT base64-user-pass = <base64 [4] encoding of user-pass, except not limited to 76 char/line> I traced the problem with Pydev to urllib retry_https_basic_auth where I can see that user = "user" passwd = "my secret password" After that, the path is like this: self.retry_https_basic_auth: self.open(fullurl="https://user:my%20%secret%20password@example.com/") self.open_https(url="://user:my%20%secret%20password@example.com/") => in open_https: host, selector = splithost(url) user_passwd, host = splituser(host) host = unquote(host) user_passwd is not unquoted, host is. I found closely related Issue2244 - but did not confirm where this bug has been introduced. I added some people from 2244 to this issue. I hope that is ok. I think a test should be added that covers usernames and passwords with spaces to avoid further regressions. The reproduction code given works with Python 2.4.3 urllib. This probably also affects python3, did not try.

Reproduction:

>>> import urllib
>>> urllib.urlopen("https://example.com/")
Enter username for Test Site at example.com: user
Enter password for user in Test Site at example.com: top secret
Enter username for Test Site at example.com:
# If the correct password contains spaces, nothing will be accepted.

The problem is that the password in basic auth is URI quoted and then base64 encoded. The password should not be quoted.

RFC 2617:
      userid      = *<TEXT excluding ":">
      password    = *TEXT
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>

I traced the problem with Pydev to urllib retry_https_basic_auth where I can see that
  user = "user"
  passwd = "my secret password"

After that, the path is like this:
self.retry_https_basic_auth:
  self.open(fullurl="https://user:my%20%secret%20password@example.com/")
  self.open_https(url="://user:my%20%secret%20password@example.com/")
  => in open_https:
    host, selector = splithost(url)
    user_passwd, host = splituser(host)
    host = unquote(host)

user_passwd is not unquoted, host is.

I found closely related Issue2244 - but did not confirm where this bug has been introduced. I added some people from 2244 to this issue. I hope that is ok.

I think a test should be added that covers usernames and passwords with spaces to avoid further regressions. The reproduction code given works with Python 2.4.3 urllib. This probably also affects python3, did not try.

History
Date	User	Action	Args
2011-12-20 15:03:45	joneskoo	set	recipients: + joneskoo, orsenthil, carljm
2011-12-20 15:03:45	joneskoo	set	messageid: <1324393425.24.0.243026081887.issue13642@psf.upfronthosting.co.za>
2011-12-20 15:02:45	joneskoo	link	issue13642 messages
2011-12-20 15:02:44	joneskoo	create