classification
Title: Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop'
Type: crash Stage: resolved
Components: Library (Lib) Versions: Python 3.9, Python 3.8, Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: Stephen Balousek, miss-islington, orsenthil
Priority: normal Keywords: patch

Created on 2020-02-03 23:31 by Stephen Balousek, last changed 2020-02-29 21:25 by orsenthil. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 18338 merged Stephen Balousek, 2020-02-03 23:50
PR 18711 merged miss-islington, 2020-02-29 20:32
PR 18712 merged miss-islington, 2020-02-29 20:46
Messages (4)
msg361330 - (view) Author: Stephen Balousek (Stephen Balousek) * Date: 2020-02-03 23:31
When making an HTTP request using an opener with an attached HTTPDigestAuthHandler, the request causes a crash when the returned 'WWW-Authenticate' header for the 'Digest' domain does not return the optional 'qop' value.

Response headers:
=================
Content-Type: application/json
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline';img-src 'self' data:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 600
WWW-Authenticate: Digest realm="ServiceManager", nonce="1580815098100956"
WWW-Authenticate: Basic realm="ServiceManager", charset="UTF-8"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Expires: 0
Pragma: no-cache

Crash:
======
Error:   Exception: 'NoneType' object has no attribute 'split'
Traceback (most recent call last):
...
  File "/home/sbalousek/bin/restap.py", line 1317, in RunTest
    status, payload, contentType = ExecuteRequest(baseUrl, test, tap);
  File "/home/sbalousek/bin/restap.py", line 1398, in ExecuteRequest
    response    = opener.open(request, payload, timeout);
  File "/usr/lib/python3.8/urllib/request.py", line 523, in open
    response = meth(req, response)
  File "/home/sbalousek/bin/restap.py", line 1065, in http_response
    return self.process_response(request, response, HTTPErrorProcessor.http_response);
  File "/home/sbalousek/bin/restap.py", line 1056, in process_response
    return handler(self, request, response);
  File "/usr/lib/python3.8/urllib/request.py", line 632, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 555, in error
    result = self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 494, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 1203, in http_error_401
    retry = self.http_error_auth_reqed('www-authenticate',
  File "/usr/lib/python3.8/urllib/request.py", line 1082, in http_error_auth_reqed
    return self.retry_http_digest_auth(req, authreq)
  File "/usr/lib/python3.8/urllib/request.py", line 1090, in retry_http_digest_auth
    auth = self.get_authorization(req, chal)
  File "/usr/lib/python3.8/urllib/request.py", line 1143, in get_authorization
    if 'auth' in qop.split(','):
AttributeError: 'NoneType' object has no attribute 'split'

Diagnosis:
==========
The crash is a result of an optional 'qop' value missing from the 'WWW-Authenticate' header.

This bug was introduced in changes for issue 38686.
msg363012 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2020-02-29 20:32
New changeset 5e260e0fde211829fcb67060cfd602f4b679f802 by Stephen Balousek in branch 'master':
bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
https://github.com/python/cpython/commit/5e260e0fde211829fcb67060cfd602f4b679f802
msg363014 - (view) Author: miss-islington (miss-islington) Date: 2020-02-29 20:49
New changeset cf347f3089631c3c2467e46ed609bfe67e539487 by Miss Islington (bot) in branch '3.7':
bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
https://github.com/python/cpython/commit/cf347f3089631c3c2467e46ed609bfe67e539487
msg363015 - (view) Author: miss-islington (miss-islington) Date: 2020-02-29 21:05
New changeset e4686b79798f7a492dcbaa62cf51f4d07fd5ae78 by Miss Islington (bot) in branch '3.8':
bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
https://github.com/python/cpython/commit/e4686b79798f7a492dcbaa62cf51f4d07fd5ae78
History
Date User Action Args
2020-02-29 21:25:11orsenthilsetstatus: open -> closed
assignee: orsenthil
resolution: fixed
stage: patch review -> resolved
2020-02-29 21:05:27miss-islingtonsetmessages: + msg363015
2020-02-29 20:49:24miss-islingtonsetmessages: + msg363014
2020-02-29 20:46:42miss-islingtonsetpull_requests: + pull_request18071
2020-02-29 20:32:13miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request18070
2020-02-29 20:32:01orsenthilsetnosy: + orsenthil
messages: + msg363012
2020-02-06 13:11:07Stephen Balouseksetversions: + Python 3.7
2020-02-03 23:50:43Stephen Balouseksetkeywords: + patch
stage: patch review
pull_requests: + pull_request17711
2020-02-03 23:31:29Stephen Balousekcreate