New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
urllib2 sends Basic auth across redirects #48069
Comments
when you request a url that requests Basic authentication info GET from libwww-perl seems to do this but most browsers don't seem to as in bug bpo-1480067 just adding the header as an unredirected header |
""" This basically states that Authorization header should be passed on the |
This is working as designed and Requestor has not supplied any further |
I agree this is a bug. Senthil -- re "1)", the paragraph you refer to (quoted by the OP) is Re "2)": I don't know how digest auth works, but the paragraph you quote |
I think the test is close enough to acceptable, will adapt it if nobody |
I believe this bug affects urllib2 when it talks to the corporate single-sign-on solution Siteminder. Siteminder usually is installed as a web server module. When a request is made to the server (origin server), Siteminder issues a 302 redirect to a central authentication server running SSL passing the original request URL of the origin server. The central server responds with a 401 basic authentication challenge. Urllib2 responds with the password from the HTTPPasswordMgr. The central server sets some cookies and responds with a 302 redirect to the origin server on the original URL. Urllib2 then sends the authentication and cookies to the origin server which is virtually always unprotected. Browsers do not send the authentication to the origin server -- only the cookies. |
Ok, in order to fix this bug, urllib2 should only send the cookies and not send the auth info across the the redirects. Yup, let me take this up. |
I attached a diff of a fix for this bug. This may not be the ideal fix, but hopefully it will give the developer who actually does resolve it a good start. |
The Basic Auth Authorization headers are added to unredirected_headers Fixed and committed in revision 78422. |
merged into other branches r78423, r78426, r78428 |
FYI, this change caused a regression in Mercurial - see http://mercurial.selenic.com/bts/issue2179. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: