[issue13323] urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response
New submission from David Fischer : I ran into an application that responded with two www-authenticate challenges to an HTTP request. First, it sends a standard Basic authentication challenge and then it also returns a www-authenticate header referencing another scheme. This looks legal to me according to rfc2617. However, the regex in AbstractBasicAuthHandler that parses the www-authenticate header only grabs one of the challenges (the last one) and therefore urllib2 will not respond to the challenge with credentials. -- messages: 146842 nosy: dfischer priority: normal severity: normal status: open title: urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue13323> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13323] urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response
David Fischer added the comment: Perhaps I should have chosen my words more carefully. There are two www-authenticate headers the single HTTP response. -- ___ Python tracker <http://bugs.python.org/issue13323> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13323] urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response
David Fischer added the comment: I think the key words in the RFC are "strongest auth-scheme it understands". I think in an ideal world, the urllib2 opener (given its handlers) would see that it doesn't understand the second auth-scheme and then see if it understands the first one. However, the term "strongest" implies an ordering among the auth schemes. -- ___ Python tracker <http://bugs.python.org/issue13323> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13323] urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response
David Fischer added the comment: With this patch, the AbstractBasicAuthHandler (and its subclasses) performs a regex search on the amalgamated "www-authenticate" header for basic authentication. This fixes the case where you have an HTTP response of the form: HTTP/1.1 401 Authorization Required Server: HTTPd/1.0 WWW-Authenticate: Basic realm="Secure Area" WWW-Authenticate: SomethingElse realm="Alternative" ... In the above case, AbstractBasicAuthHandler will attempt basic auth against the "Secure Area" realm. -- keywords: +patch Added file: http://bugs.python.org/file23619/urllib2_basicauth.patch ___ Python tracker <http://bugs.python.org/issue13323> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue3819] urllib2 sends Basic auth across redirects
David Fischer added the comment: I believe this bug affects urllib2 when it talks to the corporate single-sign-on solution Siteminder. Siteminder usually is installed as a web server module. When a request is made to the server (origin server), Siteminder issues a 302 redirect to a central authentication server running SSL passing the original request URL of the origin server. The central server responds with a 401 basic authentication challenge. Urllib2 responds with the password from the HTTPPasswordMgr. The central server sets some cookies and responds with a 302 redirect to the origin server on the original URL. Urllib2 then sends the authentication and cookies to the origin server which is virtually always unprotected. Browsers do not send the authentication to the origin server -- only the cookies. -- nosy: +dfischer Added file: http://bugs.python.org/file16198/siteminder_3819.py ___ Python tracker <http://bugs.python.org/issue3819> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue3819] urllib2 sends Basic auth across redirects
David Fischer added the comment: I attached a diff of a fix for this bug. This may not be the ideal fix, but hopefully it will give the developer who actually does resolve it a good start. -- keywords: +patch Added file: http://bugs.python.org/file16204/urllib2-3819.diff ___ Python tracker <http://bugs.python.org/issue3819> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
