This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author orsenthil
Recipients TFKyle, orsenthil
Date 2008-09-09.18:29:04
SpamBayes Score 1.156946e-05
Marked as misclassified No
Message-id <>
1) The section you refer to is 1.2 of RFC2617, which specifies the details on
Access Authentication in General and not specific to url redirects. So, I don't
think we should take it as a referece.

2) Under the section - 3.3 Digest Operation, the Authentication cases under
redirection is provided like this. (search for keyword 'redirect')

The client will retry the request, at which time the server might respond with a 301/302 redirection, pointing to the URI on the second server. The client will follow the redirection, and pass an Authorization header , including the <opaque> data...

This basically states that Authorization header should be passed on the
redirects in Digest authentication case and (should we assume in Basic
Authentication case also?) If yes, then urllib2 is actually doing the same
thing.  Do you have a practical scenario where this has resulted in failure/
security loophole?
Date User Action Args
2008-09-09 18:29:06orsenthilsetrecipients: + orsenthil, TFKyle
2008-09-09 18:29:05orsenthillinkissue3819 messages
2008-09-09 18:29:04orsenthilcreate