Message 106649 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	anelis
Recipients	anelis
Date	2010-05-28.11:33:16
SpamBayes Score	0.00083045126
Marked as misclassified	No
Message-id	<1275046398.81.0.158910525846.issue8843@psf.upfronthosting.co.za>
In-reply-to

Content
When using Digest authentication to authenticate with a web server, according to rfc2617 (section 3.2.2.5) the uri in the Authorization header MUST match the request URI. urllib2.AbstractDigestAuthHandler doesn't honour this when we request a url of the form 'http://hostname' without the trailing slash and we end up with request headers of the form: GET / 1.1 ... Authorization: Digest ... uri="" <- should be uri="/"! A web server will return 400 Bad Request error. I attach a patch to fix urllib2.AbstractDigestAuthHandler.get_authorization that simply checks for the empty uri and uses '/' instead. It's the same thing that httplib.HTTPConnection does when it builds the GET line. However I do wonder if this uri normalisation should be part of Request.get_selector? Following is a script to demonstrate the behaviour, if you call it as: ./do_digest_request.py http://myserver username password (and assuming myserver is using Digest authentication) there will a 400 response instead of it working. --- do_digest_request.py #!/usr/bin/env python import sys import urllib2 import urlparse def request( url, username, password ): p = urlparse.urlparse( url ) password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm() password_manager.add_password( None, p.hostname, username, password ) handlers = [ urllib2.HTTPDigestAuthHandler( password_manager ), ] opener = urllib2.build_opener( *handlers ) request = urllib2.Request( url ) response = opener.open( request ) response.read() if __name__ == '__main__': request( sys.argv[1], sys.argv[2], sys.argv[3] )

When using Digest authentication to authenticate with a web server, according to rfc2617 (section 3.2.2.5) the uri in the Authorization header MUST match the request URI.

urllib2.AbstractDigestAuthHandler doesn't honour this when we request a url of the form 'http://hostname' without the trailing slash and we end up with request headers of the form:

GET / 1.1
...
Authorization: Digest ... uri="" <- should be uri="/"!

A web server will return 400 Bad Request error.

I attach a patch to fix urllib2.AbstractDigestAuthHandler.get_authorization that simply checks for the empty uri and uses '/' instead. It's the same thing that httplib.HTTPConnection does when it builds the GET line.

However I do wonder if this uri normalisation should be part of Request.get_selector?

Following is a script to demonstrate the behaviour, if you call it as:

./do_digest_request.py http://myserver username password

(and assuming myserver is using Digest authentication) there will a 400 response instead of it working.

--- do_digest_request.py
#!/usr/bin/env python

import sys
import urllib2
import urlparse

def request( url, username, password ):

    p = urlparse.urlparse( url )
    password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm()
    password_manager.add_password( None, p.hostname, username, password )

    handlers = [
        urllib2.HTTPDigestAuthHandler( password_manager ),
    ]

    opener = urllib2.build_opener( *handlers )
    request = urllib2.Request( url )
    response = opener.open( request )
    response.read()


if __name__ == '__main__':
    request( sys.argv[1], sys.argv[2], sys.argv[3] )

History
Date	User	Action	Args
2010-05-28 11:33:19	anelis	set	recipients: + anelis
2010-05-28 11:33:18	anelis	set	messageid: <1275046398.81.0.158910525846.issue8843@psf.upfronthosting.co.za>
2010-05-28 11:33:17	anelis	link	issue8843 messages
2010-05-28 11:33:16	anelis	create