Issue 12541: Accepting Badly formed headers in urllib HTTPBasicAuth

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/56750

classification

Title:	Accepting Badly formed headers in urllib HTTPBasicAuth
Type:	behavior	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.2

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	orsenthil	Nosy List:	Alex.Leon, ezio.melotti, orsenthil, petri.lehtinen, python-dev, r.david.murray, shevegen
Priority:	normal	Keywords:	patch

Created on 2011年07月12日 13:48 by Alex.Leon, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
issue12541.patch	orsenthil, 2011年08月07日 08:26

Messages (10)
msg140191 - (view)	Author: Alex Leon (Alex.Leon)	Date: 2011年07月12日 13:48
It looks like some servers using basic authentication don't include quotes around the realm (example https://api.connect2field.com) as required by rfc 2617. urllib wont handle these requests and silently fails, but a simple change to the regex in AbstractBasicAuthHandler from 'realm=(["\'])(.?)\2円', re.I) to 'realm=(["\']?)(["\'])\2円', re.I) would make authentication more flexible.
msg141606 - (view)	Author: Alex Leon (Alex.Leon)	Date: 2011年08月03日 11:46
For some reason a caret went missing in the regex fix. It should read 'realm=(["\']?)([^"\']*)\2円', re.I)
msg141739 - (view)	Author: Senthil Kumaran (orsenthil) * (Python committer)	Date: 2011年08月07日 08:26
Here is a patch with the test for accepting the badly formed headers. I would like to ensure that change in the regex is fool-proof in order to accomodate this bad behavior, so that we don't break the existing stuff. It is problem at the server end,I found that browsers thrown warning before accepting that.
msg141750 - (view)	Author: R. David Murray (r.david.murray) * (Python committer)	Date: 2011年08月07日 22:16
Perhaps we should issue a warning, then, too?
msg141766 - (view)	Author: Senthil Kumaran (orsenthil) * (Python committer)	Date: 2011年08月08日 10:48
I don't think so. We are just making our regex bit lenient. I am not sure how we can raise a warning with more lenient regex. As with any parsing changes, I would like to be careful and that we don't introduce any regression.
msg141849 - (view)	Author: Alex Leon (Alex.Leon)	Date: 2011年08月10日 06:12
It could have a 2 phase regex match. We match the first one, and if it fails, match the second and produce a warning. I think producing a warning is a good idea, as it allows the programmer to know that the implementation of basic auth they are trying to connect to is broken, and might help with future connection attempts. Also there are currently no warnings produced by python if it fails to parse the auth header, and its hard for a developer to know why.
msg141850 - (view)	Author: shevegen (shevegen)	Date: 2011年08月10日 07:49
I think a warning would be quite nice to have.
msg160731 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2012年05月15日 14:42
New changeset 3e10d0148f79 by Senthil Kumaran in branch '2.7': Issue #12541: Be lenient with quotes around Realm field with HTTP Basic Authentation in urllib2. http://hg.python.org/cpython/rev/3e10d0148f79 New changeset bb94fec5c5ab by Senthil Kumaran in branch '3.2': Issue #12541: Be lenient with quotes around Realm field of HTTP Basic Authentation in urllib2. http://hg.python.org/cpython/rev/bb94fec5c5ab New changeset bf20564296aa by Senthil Kumaran in branch 'default': merge from 3.2 - Issue #12541: Be lenient with quotes around Realm field of HTTP Basic Authentation in urllib2. http://hg.python.org/cpython/rev/bf20564296aa
msg160739 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2012年05月15日 16:08
New changeset b82178b07e0f by Senthil Kumaran in branch '2.7': Issue12541 - Add UserWarning for unquoted realms http://hg.python.org/cpython/rev/b82178b07e0f New changeset b5b38bda9fc4 by Senthil Kumaran in branch '3.2': Issue12541 - Add UserWarning for unquoted realms http://hg.python.org/cpython/rev/b5b38bda9fc4 New changeset 08fa1a47fa97 by Senthil Kumaran in branch 'default': Issue12541 - Add UserWarning for unquoted realms http://hg.python.org/cpython/rev/08fa1a47fa97
msg160740 - (view)	Author: Senthil Kumaran (orsenthil) * (Python committer)	Date: 2012年05月15日 16:09
this issue is taken care. Both in accepting unquoted Realm for basic auth leniently and then raising a UserWarning when encountering this case.

History
Date	User	Action	Args
2022年04月11日 14:57:19	admin	set	github: 56750
2012年05月15日 16:09:35	orsenthil	set	status: open -> closed resolution: fixed messages: + msg160740 stage: needs patch -> resolved
2012年05月15日 16:08:25	python-dev	set	messages: + msg160739
2012年05月15日 14:42:27	python-dev	set	nosy: + python-dev messages: + msg160731
2012年05月06日 22:42:45	ezio.melotti	set	stage: needs patch
2011年08月10日 07:49:01	shevegen	set	nosy: + shevegen messages: + msg141850
2011年08月10日 06:12:06	Alex.Leon	set	messages: + msg141849
2011年08月08日 10:48:23	orsenthil	set	messages: + msg141766
2011年08月07日 22:16:03	r.david.murray	set	nosy: + r.david.murray messages: + msg141750
2011年08月07日 08:26:58	orsenthil	set	files: + issue12541.patch keywords: + patch messages: + msg141739
2011年08月03日 11:58:55	ezio.melotti	set	nosy: + ezio.melotti
2011年08月03日 11:46:57	Alex.Leon	set	messages: + msg141606
2011年07月15日 18:52:22	petri.lehtinen	set	nosy: + petri.lehtinen
2011年07月12日 14:05:04	orsenthil	set	assignee: orsenthil nosy: + orsenthil
2011年07月12日 13:48:19	Alex.Leon	create

homepage