Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop' #83729

Closed
sbalousek mannequin opened this issue Feb 3, 2020 · 4 comments
Closed

Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop' #83729

sbalousek mannequin opened this issue Feb 3, 2020 · 4 comments
Assignees
@orsenthil
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@sbalousek
Copy link
Mannequin

sbalousek mannequin commented Feb 3, 2020

BPO 39548
Nosy @orsenthil, @miss-islington, @sbalousek
PRs
  • bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth #18338
  • [3.7] bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338) #18711
  • [3.8] bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338) #18712
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/orsenthil'
closed_at = <Date 2020-02-29.21:25:11.484>
created_at = <Date 2020-02-03.23:31:29.049>
labels = ['3.8', '3.7', 'library', '3.9', 'type-crash']
title = "Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop'"
updated_at = <Date 2020-02-29.21:25:11.484>
user = 'https://github.com/sbalousek'

    bugs.python.org fields:

    activity = <Date 2020-02-29.21:25:11.484>
actor = 'orsenthil'
assignee = 'orsenthil'
closed = True
closed_date = <Date 2020-02-29.21:25:11.484>
closer = 'orsenthil'
components = ['Library (Lib)']
creation = <Date 2020-02-03.23:31:29.049>
creator = 'Stephen Balousek'
dependencies = []
files = []
hgrepos = []
issue_num = 39548
keywords = ['patch']
message_count = 4.0
messages = ['361330', '363012', '363014', '363015']
nosy_count = 3.0
nosy_names = ['orsenthil', 'miss-islington', 'Stephen Balousek']
pr_nums = ['18338', '18711', '18712']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue39548'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9']
    @sbalousek
    Copy link
    Mannequin Author

    sbalousek mannequin commented Feb 3, 2020

    When making an HTTP request using an opener with an attached HTTPDigestAuthHandler, the request causes a crash when the returned 'WWW-Authenticate' header for the 'Digest' domain does not return the optional 'qop' value.

    Response headers:
    =================
    Content-Type: application/json
    Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline';img-src 'self' data:
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 600
    WWW-Authenticate: Digest realm="ServiceManager", nonce="1580815098100956"
    WWW-Authenticate: Basic realm="ServiceManager", charset="UTF-8"
    Cache-Control: max-age=0, no-cache, no-store, must-revalidate
    Expires: 0
    Pragma: no-cache

    Crash:
    ======

    Error:   Exception: 'NoneType' object has no attribute 'split'
Traceback (most recent call last):
...
  File "/home/sbalousek/bin/restap.py", line 1317, in RunTest
    status, payload, contentType = ExecuteRequest(baseUrl, test, tap);
  File "/home/sbalousek/bin/restap.py", line 1398, in ExecuteRequest
    response    = opener.open(request, payload, timeout);
  File "/usr/lib/python3.8/urllib/request.py", line 523, in open
    response = meth(req, response)
  File "/home/sbalousek/bin/restap.py", line 1065, in http_response
    return self.process_response(request, response, HTTPErrorProcessor.http_response);
  File "/home/sbalousek/bin/restap.py", line 1056, in process_response
    return handler(self, request, response);
  File "/usr/lib/python3.8/urllib/request.py", line 632, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 555, in error
    result = self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 494, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 1203, in http_error_401
    retry = self.http_error_auth_reqed('www-authenticate',
  File "/usr/lib/python3.8/urllib/request.py", line 1082, in http_error_auth_reqed
    return self.retry_http_digest_auth(req, authreq)
  File "/usr/lib/python3.8/urllib/request.py", line 1090, in retry_http_digest_auth
    auth = self.get_authorization(req, chal)
  File "/usr/lib/python3.8/urllib/request.py", line 1143, in get_authorization
    if 'auth' in qop.split(','):
AttributeError: 'NoneType' object has no attribute 'split'

    Diagnosis:
    ==========
    The crash is a result of an optional 'qop' value missing from the 'WWW-Authenticate' header.

    This bug was introduced in changes for bpo-38686.

    @sbalousek sbalousek mannequin added 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump 3.7 (EOL) end of life labels Feb 3, 2020
    @orsenthil
    Copy link
    Member

    New changeset 5e260e0 by Stephen Balousek in branch 'master':
    bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
    5e260e0

    @miss-islington
    Copy link
    Contributor

    New changeset cf347f3 by Miss Islington (bot) in branch '3.7':
    bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
    cf347f3

    @miss-islington
    Copy link
    Contributor

    New changeset e4686b7 by Miss Islington (bot) in branch '3.8':
    bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
    e4686b7

    @orsenthil orsenthil self-assigned this Feb 29, 2020
    @orsenthil orsenthil self-assigned this Feb 29, 2020
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @orsenthil orsenthil

    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @orsenthil @miss-islington