This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: urrlib2 digest authentication problems
Type: behavior Stage: resolved
Components: Versions: Python 3.1, Python 3.2, Python 2.7
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: exarkun, orsenthil, petr.viktorin
Priority: normal Keywords: easy, patch

Created on 2009-02-16 23:51 by petr.viktorin, last changed 2022-04-11 14:56 by admin. This issue is now closed.

File name Uploaded Description Edit
python-urllib2.patch petr.viktorin, 2009-02-16 23:51
Messages (4)
msg82284 - (view) Author: Petr Viktorin (petr.viktorin) * (Python committer) Date: 2009-02-16 23:51
I introduced Python to my dad, and the first thing he did with it was to
try to connect to a proprietary HTTP-based server, which uses Digest
authentication. It looks like urllib2's Digest support isn't well
tested. So, after not much more than a "Hello World", he ended up
patching urrlib2 (and learning a lot more about Python than he would

Anyways, here are the problems:

- Currently, AbstractBasicAuthHandler and AbstractDigestAuthHandler each
a different method to find out whether they should kick in. This matters
when the server supports both methods, and sends out two authentication
headers. Basic uses a regexp that matches the last haeder, and Digest
looks at the first one. So, if the server happens to support both, and
sends the digest header after the basic one, each of the handlers
assumes the other one should handle it and none does.
The fix in the patch is crude, but it should work better than now.

- nonce_count should be reset when the server issues a new nonce
(See RFC 2617, page 12, nonce-count). So, the nonce value should be
stored and nonce_count should be reset if it doesn't match

- Added a max_attempts attribute and set it to 2 by default (instead of
5). Two may or may not work better in general, but it should probably be
configurable. This particular change is not too critical, obviously.

- The HTTPError returned from the digest handler is not a file-like
object, due to http_error_auth_reqed not taking a "fp" argument. The
patch fixes that and the two calls to it.

Credit Libor Viktorin if some of the patch makes it.
msg109886 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2010-07-10 16:28
To quote msg82284. "The fix in the patch is crude, but it should work better than now."  Would this be acceptable?
msg109887 - (view) Author: Jean-Paul Calderone (exarkun) * (Python committer) Date: 2010-07-10 16:42
Some unit tests which demonstrate the present non-working behavior and the correctness of the fix would help a lot.
msg316846 - (view) Author: Petr Viktorin (petr.viktorin) * (Python committer) Date: 2018-05-16 17:42
I withdraw the patch (and I should have done that years ago). Nowadays, hopefully Requests does the right thing.
Date User Action Args
2022-04-11 14:56:45adminsetgithub: 49536
2018-05-16 17:42:48petr.viktorinsetstatus: open -> closed
resolution: out of date
messages: + msg316846

stage: test needed -> resolved
2014-02-03 19:22:07BreamoreBoysetnosy: - BreamoreBoy
2010-07-10 16:44:39orsenthilsetassignee: orsenthil
2010-07-10 16:42:33exarkunsetnosy: + exarkun
messages: + msg109887
2010-07-10 16:28:54BreamoreBoysetnosy: + BreamoreBoy, orsenthil

messages: + msg109886
versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6
2009-04-22 14:41:21ajaksu2setpriority: normal
keywords: + easy
type: behavior
stage: test needed
2009-02-16 23:51:38petr.viktorincreate