[Python-bugs-list] [ python-Bugs-451295 ] HTTPS bugs in urllib2
noreply@sourceforge.net
noreply@sourceforge.net
Thu, 16 Aug 2001 10:01:35 -0700
Bugs item #451295, was opened at 2001-08-15 12:36
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=451295&group_id=5470
Category: Python Library
Group: Python 2.1.1
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
>Assigned to: Jeremy Hylton (jhylton)
Summary: HTTPS bugs in urllib2
Initial Comment:
1. In AbstractBasicAuthHandler.retry_http_basic_auth()-
if an HTTP error, other than 401, happens,
authentication is disabled because
self.__current_realm is not set to None
2. In HTTPRedirectHandler.http_error_302()- if an
authenticated file is redirected, the old request
header is discarded and, therefore, so is the
authentication information. If there is a new
challenge, HTTP error 401 results,
self.__current_realm is still set and authentication
is thereafter disabled.
I discovered these bugs while testing with a secure
web site. I made the following fixes (standard Unix
diff format) and can be reached via email at
bcox@semio.com:
bug #1-
631,633c649,660
< resp = self.parent.open(req)
< self.__current_realm = None
< return resp
---
> try:
> resp = self.parent.open(req)
> self.__current_realm = None
> return resp
> # prevent other HTTP errors
from disabling authentication
> except HTTPError, e:
> if e.code != 401:
> self.__current_realm = None
> raise
> except (URLError, socket.error), e:
> self.__current_realm = None
> raise
bug #2-
447c460,465
< new = Request(newurl, req.get_data())
---
>
> # forgetting about the current state
is not a good idea.
> # If this is an authenticated URL,
then discarding the state
> # (i.e. the headers) will disable
further authentication
>
> new = Request(newurl, req.get_data(),
req.headers)
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=451295&group_id=5470