[New-bugs-announce] [issue10287] NNTP authentication should check capabilities
report at bugs.python.org
Mon Nov 1 22:56:32 CET 2010
New submission from Julien ÉLIE <julien at trigofacile.com>:
The server MAY list the AUTHINFO capability with no arguments, which
indicates that it complies with this specification and does not
permit any authentication commands in its current state. In this
case, the client MUST NOT attempt to utilize any AUTHINFO commands,
even if it contains logic that might otherwise cause it to do so
(e.g., for backward compatibility with servers that are not compliant
with this specification).
Yet, nntplib attempts to authenticate.
self.capabilities() should be sent at startup.
If "READER" is advertised, no need to send a "MODE READER" command at all...
If "MODE-READER" is advertised, then "MODE READER" (if wanted) can be sent.
Then, self.capabilities() should be sent again. Capabilities changed!
Then authentication if "AUTHINFO USER" is advertised with NNTP version >=2. If "AUTHINFO" without "USER", no authentication at all.
And after authentication, self.capabilities() should be sent again.
Please note that the readermode_afterauth variable I see in the source code should normally not be used by a client... RFC 4643 mentions:
o the MODE READER command MUST NOT be used in the
same session following successful authentication.
components: Library (Lib)
title: NNTP authentication should check capabilities
versions: Python 3.2
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce