Message 78223 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	orsenthil
Recipients	gregory.p.smith, orsenthil, wayland
Date	2008-12-23.03:31:41
SpamBayes Score	2.436936e-06
Marked as misclassified	No
Message-id	<1230003102.65.0.154182846488.issue1025540@psf.upfronthosting.co.za>
In-reply-to

Content
This issue makes a request to implement, plain-text inurl password authentication like "https://user:password@host:port/ for HTTP Basic Authentication. " for urllib2. As per rfc3986, this is strongly discouraged and is deprecated. See the section: 3.2.1. User Information Use of the format "user:password" in the userinfo field is deprecated. Applications should not render as clear text any data after the first colon (":") character found within a userinfo subcomponent unless the data after the colon is the empty string (indicating no password). Applications may choose to ignore or reject such data when it is received as part of a reference and should reject the storage of such data in unencrypted form. The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used. Also, this was reported on 2004-09-10! We do not have any other similar requests inline. AFAIK, current urllib2 will authenticate and fetch the documents with HTTP Basic authentication when password is passed along in the url like the case specifies. I do not what was the case in 2004. My conclusion for this request is to Close it as either "Invalid" or "Wont Fix".

This issue makes a request to implement, plain-text inurl password
authentication like "https://user:password@host:port/ for HTTP Basic
Authentication. " for urllib2.

As per rfc3986, this is strongly discouraged and is deprecated.

See the section: 3.2.1.  User Information


Use of the format "user:password" in the userinfo field is
   deprecated.  Applications should not render as clear text any data
   after the first colon (":") character found within a userinfo
   subcomponent unless the data after the colon is the empty string
   (indicating no password).  Applications may choose to ignore or
   reject such data when it is received as part of a reference and
   should reject the storage of such data in unencrypted form.  The
   passing of authentication information in clear text has proven to be
   a security risk in almost every case where it has been used.


Also, this was reported on 2004-09-10! We do not have any other similar
requests inline.  AFAIK, current urllib2 will authenticate and fetch the
documents with HTTP Basic authentication when password is passed along
in the url like the case specifies. I do not what was the case in 2004.

My conclusion for this request is to Close it as either "Invalid" or
"Wont Fix".

History
Date	User	Action	Args
2008-12-23 03:31:43	orsenthil	set	recipients: + orsenthil, gregory.p.smith, wayland
2008-12-23 03:31:42	orsenthil	set	messageid: <1230003102.65.0.154182846488.issue1025540@psf.upfronthosting.co.za>
2008-12-23 03:31:42	orsenthil	link	issue1025540 messages
2008-12-23 03:31:41	orsenthil	create