[Python-bugs-list] [ python-Bugs-823328 ] urllib2 digest auth is
broken
SourceForge.net
noreply at sourceforge.net
Tue Oct 21 14:07:15 EDT 2003
Bugs item #823328, was opened at 2003-10-14 10:03
Message generated for change (Settings changed) made by jhylton
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=823328&group_id=5470
Category: None
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Anthony Baxter (anthonybaxter)
Assigned to: Jeremy Hylton (jhylton)
Summary: urllib2 digest auth is broken
Initial Comment:
The urllib2 digest auth support is busted. For
starters, it's looking
for a header 'Authorization' with the auth header in it
- the
correct header is WWW-Authenticate, according to rfc2617
(and confirmed by the "what does apache do?" test).
Even after
making this fix, auth is still failing, not sure why yet.
I'm not convinced, looking at the code, that it could
have _ever_
worked.
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2003-10-21 17:43
Message:
Logged In: YES
user_id=31392
Reviewing the patch just now. It looks basically good. I
realize that the reason you had some much trouble with the
code is that it was written against RFC 2069 and tested
against some very old version of Apache.
----------------------------------------------------------------------
Comment By: Anthony Baxter (anthonybaxter)
Date: 2003-10-14 13:18
Message:
Logged In: YES
user_id=29957
The following patch gives us a urllib2 that supports digest
auth again. I've tested against Apache-2..0.47, if someone
wants to suggest another webserver to check with, please let
me know.
We now support RFC2617-compliant versions of digest auth. I
have no idea what the code that was in there was trying to
do, but it was broken all over the place - there is no way
it would have worked.
Note the following limitations:
- We are sending a client nonce, but we're not checking the
Authentication-Info that's coming back.
- qop="auth-int" support is shaky. But apache looks like it
doesn't support it properly, anyway. And it's no shakier
than it was <wink>
- algorithm="MD5-sess" isn't properly supported, but then,
it wasn't before, either.
- the code now has a limit of 5 failures in a row before it
bails out . there was no limit previously, so it would
recurse until the recursion limit was hit.
I can't test the old code, unfortunately, but I _believe_
I've made it work again. It certainly could not have worked
as it was. I've also not tested proxy-digest-auth -
suggestions for a proxy server to try? Assuming my reading
of the RFC is right, it should "just work".
----------------------------------------------------------------------
Comment By: Anthony Baxter (anthonybaxter)
Date: 2003-10-14 12:16
Message:
Logged In: YES
user_id=29957
Ok, we're not handling the qop=auth style of Digest, as
specified in the RFC. I'm working on it now.
----------------------------------------------------------------------
Comment By: Anthony Baxter (anthonybaxter)
Date: 2003-10-14 10:12
Message:
Logged In: YES
user_id=29957
Hm. Looking through comments, it's possible that this used
to work with an older, broken, apache digest mode. It
certainly fails with 2.0.47... :-(
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=823328&group_id=5470
More information about the Python-bugs-list
mailing list