[New-bugs-announce] [issue10287] NNTP authentication should check capabilities

Julien ÉLIE report at bugs.python.org
Mon Nov 1 22:56:32 CET 2010

New submission from Julien ÉLIE <julien at trigofacile.com>:

RFC 4643:

   The server MAY list the AUTHINFO capability with no arguments, which
   indicates that it complies with this specification and does not
   permit any authentication commands in its current state.  In this
   case, the client MUST NOT attempt to utilize any AUTHINFO commands,
   even if it contains logic that might otherwise cause it to do so
   (e.g., for backward compatibility with servers that are not compliant
   with this specification).

Yet, nntplib attempts to authenticate.

self.capabilities() should be sent at startup.

If "READER" is advertised, no need to send a "MODE READER" command at all...

If "MODE-READER" is advertised, then "MODE READER" (if wanted) can be sent.
Then, self.capabilities() should be sent again.  Capabilities changed!

Then authentication if "AUTHINFO USER" is advertised with NNTP version >=2.  If "AUTHINFO" without "USER", no authentication at all.

And after authentication, self.capabilities() should be sent again.

Please note that the readermode_afterauth variable I see in the source code should normally not be used by a client...  RFC 4643 mentions:

   o  the MODE READER command MUST NOT be used in the
      same session following successful authentication.

components: Library (Lib)
messages: 120183
nosy: jelie
priority: normal
severity: normal
status: open
title: NNTP authentication should check capabilities
versions: Python 3.2

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list