[ python-Bugs-900898 ] urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr
SourceForge.net
noreply at sourceforge.net
Sat Apr 15 19:59:50 CEST 2006
Bugs item #900898, was opened at 2004-02-20 06:51
Message generated for change (Comment added) made by jjlee
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=900898&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.3
Status: Open
Resolution: None
Priority: 5
Submitted By: James Kruth (jk7)
Assigned to: Nobody/Anonymous (nobody)
Summary: urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr
Initial Comment:
If the Request object being used returns a URI with a
port included (e.g. http://www.mysite.com:7777/index.html)
If Request.get_full_url() or Request.get_host() returns
a URI or host with a port included (e.g.
http://www.mysite.com:7777/index.html or
www.mysite.com:7777, respectively), and authentication
(proxy or http, basic only) is required, then the
respective AuthHandlers (HTTPBasicAuthHandler,
ProxyBasicAuthHandler) end up calling
http_error_auth_reqed with a host looking like
"www.mysite.com:7777". http_error_auth_reqed then
precedes to call retry_http_basic_auth with the same
host parameter, which in turn calls
HTTPPasswordMgr.find_user_password. The problem is
that find_user_password appears to expect a full URI,
and attempts to reduce it to just a host, by calling
reduce_uri. If a bare host with a port is passed (like
"www.mysite.com:7777"), then reduce_uri returns just
the port number in the netloc position - which
find_user_password then attempts to compare against the
correct host name you've stored in your HTTPPasswordMgr
object along with your user name and password. I
believe either find_user_password should not reduce the
host, or the Auth Handler objects should pass full
hostnames to find_user_password.
----------------------------------------------------------------------
Comment By: John J Lee (jjlee)
Date: 2006-04-15 18:59
Message:
Logged In: YES
user_id=261020
This is fixed by patch 1470846, which includes tests and doc
fix / update (though I neglected to mention that the patch
fixes this problem in the initial patch comment; I'll
rectify that now).
----------------------------------------------------------------------
Comment By: Brad Clements (bkc)
Date: 2004-04-06 20:58
Message:
Logged In: YES
user_id=4631
I ran into this problem today with Python 2.3.3 on RedHat 9.
I'm using port numbers in my URLs, and I found that the Auth
Handler did NOT correctly find the userid and password
registered.
ie:
authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm()
authinfo.add_password(None, host, userid, password)
authHandler = urllib2.HTTPBasicAuthHandler(authinfo)
opener = urllib2.build_opener(authHandler)
where host = "http://localhost:7993"
I've tested the proposed fix shown in urllib2_bug.py at line 31,
to whit, this:
class HTTPBasicAuthHandlerF(AbstractBasicAuthHandler,
BaseHandler):
auth_header = 'Authorization'
def http_error_401(self, req, fp, code, msg, headers):
host = req.get_full_url()
return self.http_error_auth_reqed('www-authenticate',
host, req, headers)
This appears to have corrected the problem.
test_urllib2.py and test_urllib.py both pass after making
this change. I did not test the ProxyBasicAuthHandler change
(I don't have a proxy)
----------------------------------------------------------------------
Comment By: James Kruth (jk7)
Date: 2004-02-20 21:25
Message:
Logged In: YES
user_id=979977
Here's a sample of the problem...
----------------------------------------------------------------------
Comment By: James Kruth (jk7)
Date: 2004-02-20 14:39
Message:
Logged In: YES
user_id=979977
I've made up a file with some source code and comments that
will hopefully clarify what I posted. I will post an
example of the problem a bit later today.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=900898&group_id=5470
More information about the Python-bugs-list
mailing list