classification
Title: urllib2 basic auth handler doesn't handle realm names in single-quoted strings
Type: behavior Stage:
Components: Library (Lib) Versions: Python 2.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: georg.brandl Nosy List: georg.brandl, jafo, varmaa
Priority: normal Keywords: patch

Created on 2008-02-18 01:02 by varmaa, last changed 2008-03-21 19:54 by georg.brandl. This issue is now closed.

Files
File name Uploaded Description Edit
urllib2_single_quoted_auth_fix.patch varmaa, 2008-02-18 01:02 Patch to fix the bug described in this issue.
Messages (3)
msg62513 - (view) Author: Atul Varma (varmaa) Date: 2008-02-18 01:02
This isn't necessarily a bug in Python--it's really a bug in websites
that produce what are technically malformed WWW-Authenticate headers, I
believe.

According to RFC 2617, a WWW-Authenticate header should be of the form:

  WWW-Authenticate: Basic realm="Private"

However, some websites, produce the header using single-quotes:

  WWW-Authenticate: Basic realm='Private'

The Firefox browser deals with this gracefully, but Python's urllib2
does not; specifically, an AbstractBasicAuthHandler does not recognize
the second type of header as an auth header at all, and as a result it's
impossible to access sites protected with such headers.

The attached patch alters the behavior of the class to deal with this
situation gracefully, and also adds a unit test to ensure that the
functionality works.

Implementation notes: This isn't the most well-engineered fix in the
world; in particular, I didn't change the regex used to parse
WWW-Authenticate headers, in part because (A) such a regex was difficult
to compose and (B) it would've been quite difficult to read, and I
didn't want to inadvertently mess up the current behavior of the code.
msg64123 - (view) Author: Sean Reifschneider (jafo) * (Python committer) Date: 2008-03-19 23:36
This patch looks good to me, but I don't know the implications of this.
 It seems reasonable to me, but I'd defer to an HTTP lawyer.
msg64267 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2008-03-21 19:54
Huh, I'm not really an HTTP expert either :)
But this seems reasonable to me. Implemented this (with a slightly
different patch) in r61711.
History
Date User Action Args
2008-03-21 19:54:07georg.brandlsetstatus: open -> closed
resolution: fixed
messages: + msg64267
2008-03-19 23:36:45jafosetpriority: normal
assignee: georg.brandl
messages: + msg64123
keywords: + patch
nosy: + georg.brandl, jafo
2008-02-18 01:02:47varmaacreate