[ python-Bugs-1016563 ] urllib2 bug in proxy auth

SourceForge.net noreply at sourceforge.net
Tue Jun 14 17:39:34 CEST 2005 

Bugs item #1016563, was opened at 2004-08-26 09:14
Message generated for change (Comment added) made by pietervd
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1016563&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.4
Status: Open
Resolution: None
Priority: 6
Submitted By: Christoph Mussenbrock (mussenbrock)
Assigned to: Jeremy Hylton (jhylton)
Summary: urllib2 bug in proxy auth

Initial Comment:
in urllib2.py:

line 502 should be:
... user_pass = base64.encodestring('%s:%s' % (unquote
(user), unquote(password))).strip()

the '.strip()' is missing in the current version ("2.1").

this makes an additonal '\n' at the end of user_pass.
So there will be an empty line in the http header, which 
is buggy.

(see also line 645, where the .strip() is right in place!).

Best regards,

Christoph

----------------------------------------------------------------------

Comment By: Pieter Van Dyck (pietervd)
Date: 2005-06-14 17:39

Message:
Logged In: YES 
user_id=1240437

I've run into the same bug so allow me to comment.

client environment: windows XP
target: Apache/1.3.33 (Unix)

checked on: python 2.3.4, 2.3.5, 2.4.1

To reproduce:

# from urllib2 import ...
proxy = {"http":"http://user:pwd@proxy:port"}
opener =build_opener(ProxyHandler(proxy))
install_opener( opener )

req = Request(coolurl)
# construct 
base64string = base64.encodestring('%s:%s' % (site_user,
site_pwd))[:-1]
authheader =  "Basic %s" % base64string
req.add_header("Authorization", authheader)
urlopen( req )

Symptoms: authentication failed on coolurl (HTTPError 401)
Fix: Applying the patch solves the problem for me

It appears as if the receiving server treats the empty line
as the end of the header even though it strictly shouldn't.

HTH
Pieter

----------------------------------------------------------------------

Comment By: Paul Moore (pmoore)
Date: 2005-01-29 22:50

Message:
Logged In: YES 
user_id=113328

The change was introduced by revision 1.32 of the file, from
patch 527518. There's no mention of removing strip() there,
so I suspect it was an accident.

The strip() is still missing in CVS HEAD. I can see the
problem, in theory (base64.encodestring returns a string
with a terminating newline). However, I cannot reproduce the
problem.

Can the original poster provide a means of verifying the
problem? It may be useful as a test case.

Regardless, the change seems harmless, and can probably be
applied. I attach a patch against CVS HEAD:

--- urllib2.py.orig	2005-01-09 05:51:49.000000000 +0000
+++ urllib2.py	2005-01-29 21:31:49.000000000 +0000
@@ -582,7 +582,8 @@
             if ':' in user_pass:
                 user, password = user_pass.split(':', 1)
                 user_pass = base64.encodestring('%s:%s' %
(unquote(user),
-                                                          
unquote(password)))
+                                                          
unquote(password))
+							   ).strip()
                 req.add_header('Proxy-authorization',
'Basic ' + user_pass)
         host = unquote(host)
         req.set_proxy(host, type)


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1016563&group_id=5470

More information about the Python-bugs-list mailing list