[New-bugs-announce] [issue2136] urllib2 basic auth handler doesn't handle realm names in single-quoted strings

[Atul Varma]

New submission from Atul Varma:

This isn't necessarily a bug in Python--it's really a bug in websites
that produce what are technically malformed WWW-Authenticate headers, I
believe.

According to RFC 2617, a WWW-Authenticate header should be of the form:

  WWW-Authenticate: Basic realm="Private"

However, some websites, produce the header using single-quotes:

  WWW-Authenticate: Basic realm='Private'

The Firefox browser deals with this gracefully, but Python's urllib2
does not; specifically, an AbstractBasicAuthHandler does not recognize
the second type of header as an auth header at all, and as a result it's
impossible to access sites protected with such headers.

The attached patch alters the behavior of the class to deal with this
situation gracefully, and also adds a unit test to ensure that the
functionality works.

Implementation notes: This isn't the most well-engineered fix in the
world; in particular, I didn't change the regex used to parse
WWW-Authenticate headers, in part because (A) such a regex was difficult
to compose and (B) it would've been quite difficult to read, and I
didn't want to inadvertently mess up the current behavior of the code.

----------
components: Library (Lib)
files: urllib2_single_quoted_auth_fix.patch
messages: 62513
nosy: varmaa
severity: minor
status: open
title: urllib2 basic auth handler doesn't handle realm names in single-quoted strings
type: behavior
versions: Python 2.6
Added file: http://bugs.python.org/file9455/urllib2_single_quoted_auth_fix.patch

__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2136>
__________________________________