Message 62513 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	varmaa
Recipients	varmaa
Date	2008-02-18.01:02:43
SpamBayes Score	0.00049133605
Marked as misclassified	No
Message-id	<1203296568.46.0.747126970867.issue2136@psf.upfronthosting.co.za>
In-reply-to

Content
This isn't necessarily a bug in Python--it's really a bug in websites that produce what are technically malformed WWW-Authenticate headers, I believe. According to RFC 2617, a WWW-Authenticate header should be of the form: WWW-Authenticate: Basic realm="Private" However, some websites, produce the header using single-quotes: WWW-Authenticate: Basic realm='Private' The Firefox browser deals with this gracefully, but Python's urllib2 does not; specifically, an AbstractBasicAuthHandler does not recognize the second type of header as an auth header at all, and as a result it's impossible to access sites protected with such headers. The attached patch alters the behavior of the class to deal with this situation gracefully, and also adds a unit test to ensure that the functionality works. Implementation notes: This isn't the most well-engineered fix in the world; in particular, I didn't change the regex used to parse WWW-Authenticate headers, in part because (A) such a regex was difficult to compose and (B) it would've been quite difficult to read, and I didn't want to inadvertently mess up the current behavior of the code.

This isn't necessarily a bug in Python--it's really a bug in websites
that produce what are technically malformed WWW-Authenticate headers, I
believe.

According to RFC 2617, a WWW-Authenticate header should be of the form:

  WWW-Authenticate: Basic realm="Private"

However, some websites, produce the header using single-quotes:

  WWW-Authenticate: Basic realm='Private'

The Firefox browser deals with this gracefully, but Python's urllib2
does not; specifically, an AbstractBasicAuthHandler does not recognize
the second type of header as an auth header at all, and as a result it's
impossible to access sites protected with such headers.

The attached patch alters the behavior of the class to deal with this
situation gracefully, and also adds a unit test to ensure that the
functionality works.

Implementation notes: This isn't the most well-engineered fix in the
world; in particular, I didn't change the regex used to parse
WWW-Authenticate headers, in part because (A) such a regex was difficult
to compose and (B) it would've been quite difficult to read, and I
didn't want to inadvertently mess up the current behavior of the code.

History
Date	User	Action	Args
2008-02-18 01:02:50	varmaa	set	spambayes_score: 0.000491336 -> 0.00049133605 recipients: + varmaa
2008-02-18 01:02:48	varmaa	set	spambayes_score: 0.000491336 -> 0.000491336 messageid: <1203296568.46.0.747126970867.issue2136@psf.upfronthosting.co.za>
2008-02-18 01:02:46	varmaa	link	issue2136 messages
2008-02-18 01:02:44	varmaa	create