[ python-Bugs-900898 ] urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr

SourceForge.net noreply at sourceforge.net
Sun Apr 30 10:22:37 CEST 2006

Bugs item #900898, was opened at 2004-02-20 06:51
Message generated for change (Settings changed) made by gbrandl
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.3
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: James Kruth (jk7)
Assigned to: Nobody/Anonymous (nobody)
Summary: urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr

Initial Comment:
If the Request object being used returns a URI with a
port included (e.g. http://www.mysite.com:7777/index.html)

If Request.get_full_url() or Request.get_host() returns
a URI or host with a port included (e.g.
http://www.mysite.com:7777/index.html or
www.mysite.com:7777, respectively), and authentication
(proxy or http, basic only) is required, then the
respective AuthHandlers (HTTPBasicAuthHandler,
ProxyBasicAuthHandler) end up calling
http_error_auth_reqed with a host looking like
"www.mysite.com:7777".  http_error_auth_reqed then
precedes to call retry_http_basic_auth with the same
host parameter, which in turn calls
HTTPPasswordMgr.find_user_password.  The problem is
that find_user_password appears to expect a full URI,
and attempts to reduce it to just a host, by calling
reduce_uri.  If a bare host with a port is passed (like
"www.mysite.com:7777"), then reduce_uri returns just
the port number in the netloc position - which
find_user_password then attempts to compare against the
correct host name you've stored in your HTTPPasswordMgr
object along with your user name and password.  I
believe either find_user_password should not reduce the
host, or the  Auth Handler objects should pass full
hostnames to find_user_password.


>Comment By: Georg Brandl (gbrandl)
Date: 2006-04-30 08:22

Logged In: YES 

Fixed with commit of patch 1470846.


Comment By: John J Lee (jjlee)
Date: 2006-04-15 17:59

Logged In: YES 

This is fixed by patch 1470846, which includes tests and doc
fix / update (though I neglected to mention that the patch
fixes this problem in the initial patch comment; I'll
rectify that now).


Comment By: Brad Clements (bkc)
Date: 2004-04-06 19:58

Logged In: YES 

I ran into this problem today with Python 2.3.3 on RedHat 9.
I'm using port numbers in my URLs, and I found that the Auth
Handler did NOT correctly find the userid and password


    authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm()
    authinfo.add_password(None, host, userid, password)
    authHandler = urllib2.HTTPBasicAuthHandler(authinfo)
    opener = urllib2.build_opener(authHandler)

where host = "http://localhost:7993"

I've tested the proposed fix shown in urllib2_bug.py at line 31,
to whit, this:

class HTTPBasicAuthHandlerF(AbstractBasicAuthHandler,

    auth_header = 'Authorization'

    def http_error_401(self, req, fp, code, msg, headers):
        host = req.get_full_url()
        return self.http_error_auth_reqed('www-authenticate',
                                          host, req, headers)

This appears to have corrected the problem.

test_urllib2.py and test_urllib.py both pass after making
this change. I did not test the ProxyBasicAuthHandler change
(I don't have a proxy)


Comment By: James Kruth (jk7)
Date: 2004-02-20 21:25

Logged In: YES 

Here's a sample of the problem...


Comment By: James Kruth (jk7)
Date: 2004-02-20 14:39

Logged In: YES 

I've made up a file with some source code and comments that
will hopefully clarify what I posted.  I will post an
example of the problem a bit later today.


You can respond by visiting: 

More information about the Python-bugs-list mailing list