[Python-bugs-list] [ python-Bugs-468948 ] urllib2, basic authentication, & 302

noreply@sourceforge.net noreply@sourceforge.net
Fri, 09 Nov 2001 08:49:36 -0800


Bugs item #468948, was opened at 2001-10-07 21:19
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=468948&group_id=5470

Category: Python Library
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Jeffrey C. Ollie (jcollie)
Assigned to: Jeremy Hylton (jhylton)
Summary: urllib2, basic authentication, & 302

Initial Comment:
I've found a bug in how urllib2 handles 
authentication.  The crux of the problem is that the 
AbstractBasicAuthHandler.__current_realm is basically 
a global variable.  I discovered the bug because I 
needed to use HTTP basic authentication and the HTTP 
If-Modified-Since header.  Since the HTTP server 
returns a 302 error if the requested URL has not 
changed the line of code that resets 
AbstractBasicAuthHandler.__current_realm  back to None 
never gets executed because an exception will be 
raised when the retrieval is retried.  I suspect that
this bug would also cause problems in multi-threaded 
code.  The digest authentication appears to have 
similar problems.

The solution that I found is to get rid of the 
__current_realm attribute and prevent infinite retries 
by checking for the presence of an Authenticate: header
in the request object that exactly matches the 
Authenticate: header that would be added.

The bug exists in 2.1.1, 2.2a4 and the current CVS.

Patch attached.

----------------------------------------------------------------------

>Comment By: Jeremy Hylton (jhylton)
Date: 2001-11-09 08:49

Message:
Logged In: YES 
user_id=31392

Fixed in rev. 1.24 of urllib2.py, including changes to
digest authentication.


----------------------------------------------------------------------

Comment By: Jeffrey C. Ollie (jcollie)
Date: 2001-10-09 19:54

Message:
Logged In: YES 
user_id=37310

I haven't tried the patch yet but I think that it would fix 
the bug in the case of a single-threaded program.  However, 
with a multi-threaded program I think that my patch for 
this problem is superior because it doesn't rely on a 
property shared by all of the threads that use the same 
opener object.  Of course, my patch assumes that a request 
object is used only by one thread but I think that that's a 
safer assumption.

----------------------------------------------------------------------

Comment By: Jeremy Hylton (jhylton)
Date: 2001-10-09 19:17

Message:
Logged In: YES 
user_id=31392

Does the patch in bug #451295 fix your problem?


----------------------------------------------------------------------

Comment By: Jeffrey C. Ollie (jcollie)
Date: 2001-10-09 10:21

Message:
Logged In: YES 
user_id=37310

Oops, that patch that I attached is reversed, use -R!


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=468948&group_id=5470