[Python-checkins] cpython (2.7): - Issue #13642: Unquote before b64encoding user:password during Basic
senthil.kumaran
python-checkins at python.org
Tue Jan 10 17:09:52 CET 2012
http://hg.python.org/cpython/rev/01ef13e9e225
changeset: 74321:01ef13e9e225
branch: 2.7
user: Senthil Kumaran <senthil at uthcode.com>
date: Wed Jan 11 00:09:24 2012 +0800
summary:
- Issue #13642: Unquote before b64encoding user:password during Basic
Authentication. Patch contributed by Joonas Kuorilehto and Michele Orrù.
files:
Lib/test/test_urllib.py | 54 +++++++++++++++++++++++++++-
Lib/urllib.py | 11 +++--
Misc/NEWS | 3 +
3 files changed, 60 insertions(+), 8 deletions(-)
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -3,13 +3,16 @@
import urllib
import httplib
import unittest
-from test import test_support
import os
import sys
import mimetools
import tempfile
import StringIO
+from test import test_support
+from base64 import b64encode
+
+
def hexescape(char):
"""Escape char as RFC 2396 specifies"""
hex_repr = hex(ord(char))[2:].upper()
@@ -22,8 +25,9 @@
def fakehttp(self, fakedata):
class FakeSocket(StringIO.StringIO):
- def sendall(self, str):
- pass
+ def sendall(self, data):
+ FakeHTTPConnection.buf = data
+
def makefile(self, *args, **kwds):
return self
@@ -38,9 +42,15 @@
return StringIO.StringIO.readline(self, length)
class FakeHTTPConnection(httplib.HTTPConnection):
+
+ # buffer to store data for verification in urlopen tests.
+ buf = ""
+
def connect(self):
self.sock = FakeSocket(fakedata)
+
assert httplib.HTTP._connection_class == httplib.HTTPConnection
+
httplib.HTTP._connection_class = FakeHTTPConnection
def unfakehttp(self):
@@ -209,6 +219,41 @@
finally:
self.unfakehttp()
+ def test_userpass_inurl(self):
+ self.fakehttp('Hello!')
+ try:
+ fakehttp_wrapper = httplib.HTTP._connection_class
+ fp = urllib.urlopen("http://user:pass@python.org/")
+ authorization = ("Authorization: Basic %s\r\n" %
+ b64encode('user:pass'))
+ # The authorization header must be in place
+ self.assertIn(authorization, fakehttp_wrapper.buf)
+ self.assertEqual(fp.readline(), "Hello!")
+ self.assertEqual(fp.readline(), "")
+ self.assertEqual(fp.geturl(), 'http://user:pass@python.org/')
+ self.assertEqual(fp.getcode(), 200)
+ finally:
+ self.unfakehttp()
+
+ def test_userpass_with_spaces_inurl(self):
+ self.fakehttp('Hello!')
+ try:
+ url = "http://a b:c d at python.org/"
+ fakehttp_wrapper = httplib.HTTP._connection_class
+ authorization = ("Authorization: Basic %s\r\n" %
+ b64encode('a b:c d'))
+ fp = urllib.urlopen(url)
+ # The authorization header must be in place
+ self.assertIn(authorization, fakehttp_wrapper.buf)
+ self.assertEqual(fp.readline(), "Hello!")
+ self.assertEqual(fp.readline(), "")
+ # the spaces are quoted in URL so no match
+ self.assertNotEqual(fp.geturl(), url)
+ self.assertEqual(fp.getcode(), 200)
+ finally:
+ self.unfakehttp()
+
+
class urlretrieve_FileTests(unittest.TestCase):
"""Test urllib.urlretrieve() on local files"""
@@ -716,6 +761,9 @@
self.assertEqual(('user', 'a\fb'),urllib.splitpasswd('user:a\fb'))
self.assertEqual(('user', 'a\vb'),urllib.splitpasswd('user:a\vb'))
self.assertEqual(('user', 'a:b'),urllib.splitpasswd('user:a:b'))
+ self.assertEqual(('user', 'a b'),urllib.splitpasswd('user:a b'))
+ self.assertEqual(('user 2', 'ab'),urllib.splitpasswd('user 2:ab'))
+ self.assertEqual(('user+1', 'a+b'),urllib.splitpasswd('user+1:a+b'))
class URLopener_Tests(unittest.TestCase):
diff --git a/Lib/urllib.py b/Lib/urllib.py
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -27,6 +27,8 @@
import os
import time
import sys
+import base64
+
from urlparse import urljoin as basejoin
__all__ = ["urlopen", "URLopener", "FancyURLopener", "urlretrieve",
@@ -318,13 +320,13 @@
if not host: raise IOError, ('http error', 'no host given')
if proxy_passwd:
- import base64
+ proxy_passwd = unquote(proxy_passwd)
proxy_auth = base64.b64encode(proxy_passwd).strip()
else:
proxy_auth = None
if user_passwd:
- import base64
+ user_passwd = unquote(user_passwd)
auth = base64.b64encode(user_passwd).strip()
else:
auth = None
@@ -408,12 +410,12 @@
#print "proxy via https:", host, selector
if not host: raise IOError, ('https error', 'no host given')
if proxy_passwd:
- import base64
+ proxy_passwd = unquote(proxy_passwd)
proxy_auth = base64.b64encode(proxy_passwd).strip()
else:
proxy_auth = None
if user_passwd:
- import base64
+ user_passwd = unquote(user_passwd)
auth = base64.b64encode(user_passwd).strip()
else:
auth = None
@@ -589,7 +591,6 @@
time.gmtime(time.time())))
msg.append('Content-type: %s' % type)
if encoding == 'base64':
- import base64
data = base64.decodestring(data)
else:
data = unquote(data)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -89,6 +89,9 @@
Library
-------
+- Issue #13642: Unquote before b64encoding user:password during Basic
+ Authentication. Patch contributed by Joonas Kuorilehto and Michele Orrù.
+
- Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list