New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NNTP authentication should check capabilities #54496
Comments
RFC 4643: The server MAY list the AUTHINFO capability with no arguments, which Yet, nntplib attempts to authenticate. self.capabilities() should be sent at startup. If "READER" is advertised, no need to send a "MODE READER" command at all... If "MODE-READER" is advertised, then "MODE READER" (if wanted) can be sent. Then authentication if "AUTHINFO USER" is advertised with NNTP version >=2. If "AUTHINFO" without "USER", no authentication at all. And after authentication, self.capabilities() should be sent again. Please note that the readermode_afterauth variable I see in the source code should normally not be used by a client... RFC 4643 mentions: o the MODE READER command MUST NOT be used in the |
By always sending capabilities at connection, some servers immediately throw an error. I've modified the class initialization to include an optional parameter to indicate if this should be disabled. |
A drawback is that CAPABILITIES will still being unsent after an upgrade of the news server to a more up-to-date version supporting the command. If CAPABILITIES is not understood by the news server, it is not an issue. A 500 response code is usually answered by the news server, which is RFC-compliant. nntplib should then behave properly. (getcapabilities() returns an empty dictionary when CAPABILITIES is not implemented.) |
Which kind of error? As Julien says, we could simply catch it and |
When using Easynews, it sends a 480 error (e.g. "nntplib.NNTPTemporaryError: 480 You must log in.") |
I think I've fixed it to do as described. Alas, I have no Easynews account to test it (I mailed their support about that so maybe that'll change). Would someone with an account mind to test, if it works? Nathan? |
Hynek, the patch doesn't apply properly here. Are you soon it's been generated against an up-to-date working copy? Also, I think the logic is wrong: the capabilities should *always* be queried after auth, even if they are already known. That's because they can change after auth is successful. See RFC 4643: “Other capabilities returned in response to a CAPABILITIES |
(oh, and better if it can come with a test) |
Sure, I wanted to add tests as soon as I know that the flow is correct (which it isn't :)). So essentially we want always CAPABILITIES ? That's rather simple to achieve. The tests are going to be the harder part. ;) Re the patch: I tried to generate it using SourceTree but probably did something wrong – will use hg next time again. |
I've added general tests of AUTH USER/PASS as there weren't any present yet. As I haven't alas heard back from Easynews, I can only presume they allow CAPABILITIES after a login – I've added a test case that models this behavior. Otherwise I did as it was asked: getcapabilities() is tolerant to temporary errors and we get them again after a login now. (I'm also using the remote repo tool now to avoid further patch fuckups – sorry for the extra mails.) |
I've made a couple of small comments (see "review" link next to the patch). |
Thanks! I think I've addressed everything in the latest patch. |
New changeset d789f453387d by Antoine Pitrou in branch '3.2': New changeset 98ad67529241 by Antoine Pitrou in branch 'default': |
Thank you :) Committed now. |
Perhaps I closed too quickly... Julien's original message had two other requests: “If "READER" is advertised, no need to send a "MODE READER" command at all... If "MODE-READER" is advertised, then "MODE READER" (if wanted) can be sent. |
There's one more issue Julien has raised: nntplib attempts to authenticate when "AUTHINFO" is sent w/o USER. (haven't tested it but I presume it's still valid) It's trivial to catch that but I'd say that it's fine to let the server handle it if the user has specifically told us to authenticate by giving credentials – no? Maybe if dealing with not-entirely-rfc-compliant servers? I will look into the READER/MODE-READER part. |
So my take on the whole issue and Antoine "tends to agree". ;)
That's already status quo.
The next patch checks whether we're in READER mode before trying to switch the mode. I've also added a test for the basic case where a connection is made to a MODE-READER advertising server. I also added a handler to the nntp2 tests that raises an exception if "mode reader" is called although the server advertises itself as "reader". If there's a consensus of not sending "MODE READER" if not advertised, it's a matter of two lines to fix that. Personally, I like this middle ground best. |
I think the patch is fine. Will apply soon (thanks!) |
New changeset a7f1ffd741d6 by Antoine Pitrou in branch '3.2': New changeset 03019bb62d83 by Antoine Pitrou in branch 'default': |
This issue can now be closed for good. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: