Message 72871 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	TFKyle
Recipients	TFKyle
Date	2008-09-09.15:12:41
SpamBayes Score	0.00020454907
Marked as misclassified	No
Message-id	<1220973164.56.0.503421072226.issue3819@psf.upfronthosting.co.za>
In-reply-to

Content
when you request a url that requests Basic authentication info HTTPBasicAuthHandler adds the Authorization header to the request as a normal (not unredirected) header, then if the server returns a 301 or 302 redirect HTTPRedirectHandler will send a request to the redirected address keeping the normal headers including the Authorization header HTTPBasicAuthHandler added, I'll attach the code I used to test this. GET from libwww-perl seems to do this but most browsers don't seem to by default and although I can't find much in the RFCs about how redirecting is supposed to work wrt. auth headers (feel free to point out sections if I'm blind) I think it breaks ftp://ftp.isi.edu/in-notes/rfc2617.txt somewhat (section 1.1, """ The protection space determines the domain over which credentials can be automatically applied. If a prior request has been authorized, the same credentials MAY be reused for all other requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preference. Unless otherwise defined by the authentication scheme, a single protection space cannot extend outside the scope of its server. """) since redirects can point to arbitrary urls off of the server. as in bug #1480067 just adding the header as an unredirected header would stop the header being sent across redirects if that's indeed the proper behaviour.

when you request a url that requests Basic authentication info
HTTPBasicAuthHandler adds the Authorization header to the request as a
normal (not unredirected) header, then if the server returns a 301 or
302 redirect HTTPRedirectHandler will send a request to the redirected
address keeping the normal headers including the Authorization header
HTTPBasicAuthHandler added, I'll attach the code I used to test this.

GET from libwww-perl seems to do this but most browsers don't seem to 
by default and although I can't find much in the RFCs about how
redirecting is supposed to work wrt. auth headers (feel free to point
out sections if I'm blind) I think it breaks
ftp://ftp.isi.edu/in-notes/rfc2617.txt somewhat (section 1.1, 
"""
The protection space determines the domain over which credentials can
be automatically applied. If a prior request has been authorized, the
same credentials MAY be reused for all other requests within that
protection space for a period of time determined by the
authentication scheme, parameters, and/or user preference. Unless
otherwise defined by the authentication scheme, a single protection
space cannot extend outside the scope of its server.
""") since redirects can point to arbitrary urls off of the server.

as in bug #1480067 just adding the header as an unredirected header
would stop the header being sent across redirects if that's indeed the
proper behaviour.

History
Date	User	Action	Args
2008-09-09 15:12:44	TFKyle	set	recipients: + TFKyle
2008-09-09 15:12:44	TFKyle	set	messageid: <1220973164.56.0.503421072226.issue3819@psf.upfronthosting.co.za>
2008-09-09 15:12:43	TFKyle	link	issue3819 messages
2008-09-09 15:12:42	TFKyle	create