Message 228925 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mcepl
Recipients	Rosuav, arigo, christian.heimes, demian.brecht, icordasc, mcepl, ncoghlan, orsenthil, pitrou, r.david.murray
Date	2014-10-09.22:04:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1412892241.96.0.89665451548.issue19494@psf.upfronthosting.co.za>
In-reply-to

Content
> In my own case I use os.popen(“wget …”) instead of urllib2 just because some version long ago failed on some web site. I can trust that this external tool works all the time. It would be great if urllib2 worked as well nowadays. I believe that Python scripts are used mostly for accessing an API of some kind, and for that wget is not the best tool, IMHO. You would have to effectively rebuild whole support for authorization, proxies, parsing of the results, etc. on the top of wget. Not the best idea, IMHO. Of course, wget is great for downloading piece of HTML and doing something with it, but not for more complicated communication with some API on the Net. > So my opinion on this issue, as a mere user, is that it is purely a bug which Python 2.7 should fix it, Strictly speaking there is no Python bug at all. Just the opposite is true … Python strictly follows RFC and GitHub et al. break it. Of course, it is possible that GitHub's breaking the standards have some merits … I am not saying RFCs are the Holy Writ and if there are security problems with strict following them, be it. But it is not Python's fault for following standards. > and it should do so in a transparent way. Adding some new class that can only be found by careful reading of the latest version of the docs is useless: people will instead blame urllib2 as a whole and switch to something else. Well, I cannot help people who are not willing to read documentation. And frankly I don't want to. Default sending credentials on wire (with many many ways how to leak the information to third parties) is certainly not a great idea either. So we would have to add some option to urllib2.urlopen (or wherever else) and people not reading documentation would loose anyway. > Can someone confirm how common browser (one is enough) deal with it? If they also send the authorization headers in the initial request, then I really, really don't see why urllib2 shouldn't by default. I have discussed with developers of Firefox, and of course they never send authorization blindly. On the other hand, as I said there are many differences between Firefox and normal Python scripts. Firefox has usually very long sessions (comparing to scripts), so the fact that on first request there are never credentials send is not that important when there are many many more requests usually coming and after the first 401 error there are of course all subsequent requests with Authorization header.

> In my own case I use os.popen(“wget …”) instead of urllib2 just because some version long ago failed on some web site.  I can trust that this external tool works all the time.  It would be great if urllib2 worked as well nowadays.  

I believe that Python scripts are used mostly for accessing an API of some kind, and for that wget is not the best tool, IMHO.  You would have to effectively rebuild whole support for authorization, proxies, parsing of the results, etc. on the top of wget. Not the best idea, IMHO. Of course, wget is great for downloading piece of HTML and doing something with it, but not for more complicated communication with some API on the Net.

> So my opinion on this issue, as a mere user, is that it is purely a bug which Python 2.7 should fix it,

Strictly speaking there is no Python bug at all. Just the opposite is true … Python strictly follows RFC and GitHub et al. break it.

Of course, it is possible that GitHub's breaking the standards have some merits … I am not saying RFCs are the Holy Writ and if there are security problems with strict following them, be it. But it is not Python's fault for following standards.

> and it should do so in a transparent way.  Adding some new class that can only be found by careful reading of the latest version of the docs is useless: people will instead blame urllib2 as a whole and switch to something else.

Well, I cannot help people who are not willing to read documentation. And frankly I don't want to.

Default sending credentials on wire (with many many ways how to leak the information to third parties) is certainly not a great idea either. So we would have to add some option to urllib2.urlopen (or wherever else) and people not reading documentation would loose anyway.

> Can someone confirm how common browser (one is enough) deal with it?  If they also send the authorization headers in the initial request, then I really, really don't see why urllib2 shouldn't by default.

I have discussed with developers of Firefox, and of course they never send authorization blindly. On the other hand, as I said there are many differences between Firefox and normal Python scripts. Firefox has usually very long sessions (comparing to scripts), so the fact that on *first request* there are never credentials send is not that important when there are many many more requests usually coming and after the first 401 error there are of course all subsequent requests with Authorization header.

History
Date	User	Action	Args
2014-10-09 22:04:02	mcepl	set	recipients: + mcepl, arigo, ncoghlan, orsenthil, pitrou, christian.heimes, r.david.murray, Rosuav, icordasc, demian.brecht
2014-10-09 22:04:01	mcepl	set	messageid: <1412892241.96.0.89665451548.issue19494@psf.upfronthosting.co.za>
2014-10-09 22:04:01	mcepl	link	issue19494 messages
2014-10-09 22:04:01	mcepl	create