Bugs item #900898, was opened at 2004-02-20 06:51 Message generated for change (Comment added) made by jjlee You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=900898&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Python Library Group: Python 2.3 Status: Open Resolution: None Priority: 5 Submitted By: James Kruth (jk7) Assigned to: Nobody/Anonymous (nobody) Summary: urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr Initial Comment: If the Request object being used returns a URI with a port included (e.g. http://www.mysite.com:7777/index.html) If Request.get_full_url() or Request.get_host() returns a URI or host with a port included (e.g. http://www.mysite.com:7777/index.html or www.mysite.com:7777, respectively), and authentication (proxy or http, basic only) is required, then the respective AuthHandlers (HTTPBasicAuthHandler, ProxyBasicAuthHandler) end up calling http_error_auth_reqed with a host looking like "www.mysite.com:7777". http_error_auth_reqed then precedes to call retry_http_basic_auth with the same host parameter, which in turn calls HTTPPasswordMgr.find_user_password. The problem is that find_user_password appears to expect a full URI, and attempts to reduce it to just a host, by calling reduce_uri. If a bare host with a port is passed (like "www.mysite.com:7777"), then reduce_uri returns just the port number in the netloc position - which find_user_password then attempts to compare against the correct host name you've stored in your HTTPPasswordMgr object along with your user name and password. I believe either find_user_password should not reduce the host, or the Auth Handler objects should pass full hostnames to find_user_password. ---------------------------------------------------------------------- Comment By: John J Lee (jjlee) Date: 2006-04-15 18:59 Message: Logged In: YES user_id=261020 This is fixed by patch 1470846, which includes tests and doc fix / update (though I neglected to mention that the patch fixes this problem in the initial patch comment; I'll rectify that now). ---------------------------------------------------------------------- Comment By: Brad Clements (bkc) Date: 2004-04-06 20:58 Message: Logged In: YES user_id=4631 I ran into this problem today with Python 2.3.3 on RedHat 9. I'm using port numbers in my URLs, and I found that the Auth Handler did NOT correctly find the userid and password registered. ie: authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm() authinfo.add_password(None, host, userid, password) authHandler = urllib2.HTTPBasicAuthHandler(authinfo) opener = urllib2.build_opener(authHandler) where host = "http://localhost:7993"; I've tested the proposed fix shown in urllib2_bug.py at line 31, to whit, this: class HTTPBasicAuthHandlerF(AbstractBasicAuthHandler, BaseHandler): auth_header = 'Authorization' def http_error_401(self, req, fp, code, msg, headers): host = req.get_full_url() return self.http_error_auth_reqed('www-authenticate', host, req, headers) This appears to have corrected the problem. test_urllib2.py and test_urllib.py both pass after making this change. I did not test the ProxyBasicAuthHandler change (I don't have a proxy) ---------------------------------------------------------------------- Comment By: James Kruth (jk7) Date: 2004-02-20 21:25 Message: Logged In: YES user_id=979977 Here's a sample of the problem... ---------------------------------------------------------------------- Comment By: James Kruth (jk7) Date: 2004-02-20 14:39 Message: Logged In: YES user_id=979977 I've made up a file with some source code and comments that will hopefully clarify what I posted. I will post an example of the problem a bit later today. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=900898&group_id=5470 _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
