New submission from Kyle McFarland <[EMAIL PROTECTED]>: when you request a url that requests Basic authentication info HTTPBasicAuthHandler adds the Authorization header to the request as a normal (not unredirected) header, then if the server returns a 301 or 302 redirect HTTPRedirectHandler will send a request to the redirected address keeping the normal headers including the Authorization header HTTPBasicAuthHandler added, I'll attach the code I used to test this.
GET from libwww-perl seems to do this but most browsers don't seem to by default and although I can't find much in the RFCs about how redirecting is supposed to work wrt. auth headers (feel free to point out sections if I'm blind) I think it breaks ftp://ftp.isi.edu/in-notes/rfc2617.txt somewhat (section 1.1, """ The protection space determines the domain over which credentials can be automatically applied. If a prior request has been authorized, the same credentials MAY be reused for all other requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preference. Unless otherwise defined by the authentication scheme, a single protection space cannot extend outside the scope of its server. """) since redirects can point to arbitrary urls off of the server. as in bug #1480067 just adding the header as an unredirected header would stop the header being sent across redirects if that's indeed the proper behaviour. ---------- components: Library (Lib) files: test.py messages: 72871 nosy: TFKyle severity: normal status: open title: urllib2 sends Basic auth across redirects Added file: http://bugs.python.org/file11441/test.py _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue3819> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
