classification
Title: urllib.request:AttributeError: 'dict' object has no attribute 'get_all' in http_error_auth_reqed function
Type: behavior Stage:
Components: Library (Lib) Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8, Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: andrei.avk, kj, sxt1001, vstinner
Priority: normal Keywords:

Created on 2021-10-22 13:35 by sxt1001, last changed 2021-11-23 02:45 by andrei.avk.

Files
File name Uploaded Description Edit
3.7.4 hang on.png sxt1001, 2021-10-22 13:35
3.7.4 fix Regex ok.png sxt1001, 2021-10-22 13:37
3.7.12 fail.png sxt1001, 2021-10-22 13:39
3.11.0a1 fail.png sxt1001, 2021-10-22 13:43
Messages (2)
msg404767 - (view) Author: tongxiaoge (sxt1001) Date: 2021-10-22 13:35
The python version I currently use in my development environment is 3.7.4. Using the following script, the program has never output, and seems to have entered an infinite loop.

To reproduce the issue we can use the following code:

from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
header = {'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +'realm'}
auth_handler.http_error_auth_reqed('www-authenticate','unused','unused',header)




So I tried to upgrade it to version 3.7.12, and the program will directly report an error. The information is as follows:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/urllib/request.py", line 990, in http_error_auth_reqed
    headers = headers.get_all(authreq)
AttributeError: 'dict' object has no attribute 'get_all'

This problem also exists when I upgrade Python 3 to 3.11.0a1. In Python version 3.7.4, the cause of program hang on seems to be a security vulnerability. Refer to https://bugs.python.org/issue39503. The reason for CVE is not the wrong type of headers. However, after repairing CVE, it seems that the type of headers is limited? For the CVE patch, I tried to only fix the part of the regular expression, and the program can run. So, after repairing CVE-2020-8492, what type should the headers parameter be for http_error_auth_reqed  function? Based on the current code, how should I adapt and modify it to make it run normally?
msg406813 - (view) Author: Andrei Kulakov (andrei.avk) * (Python triager) Date: 2021-11-23 02:45
I'm not sure about the hang in 3.7 and CVE, but as far as `get_all()` error is concerned, it's due to passing the wrong kind of argument as `headers`.

For this (undocumented) method, `headers` should be a Message object created in this way, e.g.:

            headers = email.message_from_string(
                'Content-type: %s\nContent-length: %d\nLast-modified: %s\n' %
                (mtype or 'text/plain', size, modified))


(see https://github.com/python/cpython/blob/024209401ebc8a011f242af00efdd8ecece6953d/Lib/urllib/request.py#L1509)

Header obj created in this way does have the `get_all()` method, and I tested that the method runs without further errors.
History
Date User Action Args
2021-11-23 02:45:29andrei.avksetnosy: + kj, andrei.avk
messages: + msg406813
2021-10-22 13:54:57sxt1001setnosy: + vstinner
2021-10-22 13:43:39sxt1001setfiles: + 3.11.0a1 fail.png
2021-10-22 13:39:41sxt1001setfiles: + 3.7.12 fail.png
2021-10-22 13:37:45sxt1001setfiles: + 3.7.4 fix Regex ok.png
2021-10-22 13:35:34sxt1001create