[Python-Dev] BUG (urllib2) Authentication request header is broken on long usernames and passwords
The Doctor What
docwhat+list.python-dev at gerf.org
Mon Oct 9 22:44:39 CEST 2006
I found a bug in urllib2's handling of basic HTTP authentication.
urllib2 uses the base64.encodestring() method to encode the
username:password.
The problem is that base64.encodestring() adds newlines to wrap the
encoded characters at the 76th column.
This produces bogus request headers like this:
---------->8---------cut---------8<----------------
GET /some/url HTTP/1.1
Host: some.host
Accept-Encoding: identity
Authorization: Basic
cmVhbGx5bG9uZ3VzZXJuYW1lOmFuZXZlbmxvbmdlcnBhc3N3b3JkdGhhdGdvZXNvbmFuZG9uYW5k
b25hbmRvbmFuZG9u
User-agent: some-agent
---------->8---------cut---------8<----------------
This can be worked around by forcing the base64.MAXBINSIZE to
something huge, but really it should be something passed into
base64.encodestring().
# echo example of it wrapping...
# python -c 'import base64; print base64.encodestring("f"*58)'
# excho example of forcing it not to wrap...
# python -c 'import base64; base64.MAXBINSIZE=1000000; print
base64.encodestring("f"*58)'
Symptoms of this bug are receiving HTTP 400 responses from the
remote server, spurious authentication errors, or various parts of
the header "vanishing" (because of the double newline).
Thanks!
--
** Ridiculous Quotes **
"I want to say this about my state: When Strom Thurmond ran for
president, we voted for him. We're proud of it. And if the rest of
the country had followed our lead, we wouldn't have had all these
problems over all these years, either."
-- Senate Minority Leader Trent Lott (R-MS), praising Strom
Thurmond's segregationist presidential campaign [12/5/02]
The Doctor What: Second Baseman
http://docwhat.gerf.org/
docwhat *at* gerf *dot* org
KF6VNC
More information about the Python-Dev
mailing list