[Python-bugs-list] [ python-Bugs-451295 ] HTTPS bugs in urllib2

noreply@sourceforge.net noreply@sourceforge.net
Fri, 09 Nov 2001 08:48:53 -0800


Bugs item #451295, was opened at 2001-08-15 12:36
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=451295&group_id=5470

Category: Python Library
Group: Python 2.1.1
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Jeremy Hylton (jhylton)
Summary: HTTPS bugs in urllib2

Initial Comment:
1. In AbstractBasicAuthHandler.retry_http_basic_auth()-
 if an HTTP error, other than 401, happens, 
authentication is disabled because 
self.__current_realm is not set to None

2. In HTTPRedirectHandler.http_error_302()- if an 
authenticated file is redirected, the old request 
header is discarded and, therefore, so is the 
authentication information.  If there is a new 
challenge, HTTP error 401 results, 
self.__current_realm is still set and authentication
is thereafter disabled.

I discovered these bugs while testing with a secure 
web site.  I made the following fixes (standard Unix 
diff format) and can be reached via email at 
bcox@semio.com:

bug #1-
631,633c649,660
<             resp = self.parent.open(req)
<             self.__current_realm = None
<             return resp
---
>             try:
>                 resp = self.parent.open(req)
>                 self.__current_realm = None
>                 return resp
> 			# prevent other HTTP errors 
from disabling authentication
>             except HTTPError, e:
>                 if e.code != 401:
>                     self.__current_realm = None
>                 raise
>             except (URLError, socket.error), e:
>                 self.__current_realm = None
>                 raise

bug #2-
447c460,465
<         new = Request(newurl, req.get_data())
---
> 
> 		# forgetting about the current state 
is not a good idea.
> 		# If this is an authenticated URL, 
then discarding the state
> 		# (i.e. the headers) will disable 
further authentication
> 
>         new = Request(newurl, req.get_data(), 
req.headers)


----------------------------------------------------------------------

Comment By: Jeremy Hylton (jhylton)
Date: 2001-11-09 08:48

Message:
Logged In: YES 
user_id=31392

Fixed in rev 1.24 of urllib2.py based on patch from 468948.


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=451295&group_id=5470