[New-bugs-announce] [issue3819] urllib2 sends Basic auth across redirects

[Kyle McFarland]

New submission from Kyle McFarland <TFKyle at Gmail.com>:

when you request a url that requests Basic authentication info
HTTPBasicAuthHandler adds the Authorization header to the request as a
normal (not unredirected) header, then if the server returns a 301 or
302 redirect HTTPRedirectHandler will send a request to the redirected
address keeping the normal headers including the Authorization header
HTTPBasicAuthHandler added, I'll attach the code I used to test this.

GET from libwww-perl seems to do this but most browsers don't seem to 
by default and although I can't find much in the RFCs about how
redirecting is supposed to work wrt. auth headers (feel free to point
out sections if I'm blind) I think it breaks
ftp://ftp.isi.edu/in-notes/rfc2617.txt somewhat (section 1.1, 
"""
The protection space determines the domain over which credentials can
be automatically applied. If a prior request has been authorized, the
same credentials MAY be reused for all other requests within that
protection space for a period of time determined by the
authentication scheme, parameters, and/or user preference. Unless
otherwise defined by the authentication scheme, a single protection
space cannot extend outside the scope of its server.
""") since redirects can point to arbitrary urls off of the server.

as in bug #1480067 just adding the header as an unredirected header
would stop the header being sent across redirects if that's indeed the
proper behaviour.

----------
components: Library (Lib)
files: test.py
messages: 72871
nosy: TFKyle
severity: normal
status: open
title: urllib2 sends Basic auth across redirects
Added file: http://bugs.python.org/file11441/test.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue3819>
_______________________________________