➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2003-10-14 10:03 by anthonybaxter, last changed 2022-04-10 16:11 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| urllib2.py-digest.diff | anthonybaxter, 2003-10-14 13:18 | urllib2.py digest diff | ||
| Messages (6) | |||
|---|---|---|---|
| msg18627 - (view) | Author: Anthony Baxter (anthonybaxter)  |
Date: 2003-10-14 10:03 | |
The urllib2 digest auth support is busted. For starters, it's looking for a header 'Authorization' with the auth header in it - the correct header is WWW-Authenticate, according to rfc2617 (and confirmed by the "what does apache do?" test). Even after making this fix, auth is still failing, not sure why yet. I'm not convinced, looking at the code, that it could have _ever_ worked. |
|||
| msg18628 - (view) | Author: Anthony Baxter (anthonybaxter) |
Date: 2003-10-14 10:12 | |
Logged In: YES user_id=29957 Hm. Looking through comments, it's possible that this used to work with an older, broken, apache digest mode. It certainly fails with 2.0.47... :-( |
|||
| msg18629 - (view) | Author: Anthony Baxter (anthonybaxter) |
Date: 2003-10-14 12:16 | |
Logged In: YES user_id=29957 Ok, we're not handling the qop=auth style of Digest, as specified in the RFC. I'm working on it now. |
|||
| msg18630 - (view) | Author: Anthony Baxter (anthonybaxter) |
Date: 2003-10-14 13:18 | |
Logged In: YES user_id=29957 The following patch gives us a urllib2 that supports digest auth again. I've tested against Apache-2..0.47, if someone wants to suggest another webserver to check with, please let me know. We now support RFC2617-compliant versions of digest auth. I have no idea what the code that was in there was trying to do, but it was broken all over the place - there is no way it would have worked. Note the following limitations: - We are sending a client nonce, but we're not checking the Authentication-Info that's coming back. - qop="auth-int" support is shaky. But apache looks like it doesn't support it properly, anyway. And it's no shakier than it was <wink> - algorithm="MD5-sess" isn't properly supported, but then, it wasn't before, either. - the code now has a limit of 5 failures in a row before it bails out . there was no limit previously, so it would recurse until the recursion limit was hit. I can't test the old code, unfortunately, but I _believe_ I've made it work again. It certainly could not have worked as it was. I've also not tested proxy-digest-auth - suggestions for a proxy server to try? Assuming my reading of the RFC is right, it should "just work". |
|||
| msg18631 - (view) | Author: Jeremy Hylton (jhylton) |
Date: 2003-10-21 17:43 | |
Logged In: YES user_id=31392 Reviewing the patch just now. It looks basically good. I realize that the reason you had some much trouble with the code is that it was written against RFC 2069 and tested against some very old version of Apache. |
|||
| msg18632 - (view) | Author: Anthony Baxter (anthonybaxter) |
Date: 2003-10-22 03:38 | |
Logged In: YES user_id=29957 I think this should be backported to 2.3, as well - it's a fix of the currently busted code. You agree with this, Jeremy? (The note about the need for tests is known, btw, I'm working on the server side of http digest auth) |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-10 16:11:44 | admin | set | github: 39407 |
| 2003-10-14 10:03:32 | anthonybaxter | create | |