[issue39548] Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop'

Mon, 03 Feb 2020 15:32:32 -0800 


New submission from Stephen Balousek <step...@balousek.net>:

When making an HTTP request using an opener with an attached 
HTTPDigestAuthHandler, the request causes a crash when the returned 
'WWW-Authenticate' header for the 'Digest' domain does not return the optional 
'qop' value.

Response headers:
=================
Content-Type: application/json
Content-Security-Policy: default-src 'self' 'unsafe-eval' 
'unsafe-inline';img-src 'self' data:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 600
WWW-Authenticate: Digest realm="ServiceManager", nonce="1580815098100956"
WWW-Authenticate: Basic realm="ServiceManager", charset="UTF-8"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Expires: 0
Pragma: no-cache

Crash:
======
Error:   Exception: 'NoneType' object has no attribute 'split'
Traceback (most recent call last):
...
  File "/home/sbalousek/bin/restap.py", line 1317, in RunTest
    status, payload, contentType = ExecuteRequest(baseUrl, test, tap);
  File "/home/sbalousek/bin/restap.py", line 1398, in ExecuteRequest
    response    = opener.open(request, payload, timeout);
  File "/usr/lib/python3.8/urllib/request.py", line 523, in open
    response = meth(req, response)
  File "/home/sbalousek/bin/restap.py", line 1065, in http_response
    return self.process_response(request, response, 
HTTPErrorProcessor.http_response);
  File "/home/sbalousek/bin/restap.py", line 1056, in process_response
    return handler(self, request, response);
  File "/usr/lib/python3.8/urllib/request.py", line 632, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 555, in error
    result = self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 494, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 1203, in http_error_401
    retry = self.http_error_auth_reqed('www-authenticate',
  File "/usr/lib/python3.8/urllib/request.py", line 1082, in 
http_error_auth_reqed
    return self.retry_http_digest_auth(req, authreq)
  File "/usr/lib/python3.8/urllib/request.py", line 1090, in 
retry_http_digest_auth
    auth = self.get_authorization(req, chal)
  File "/usr/lib/python3.8/urllib/request.py", line 1143, in get_authorization
    if 'auth' in qop.split(','):
AttributeError: 'NoneType' object has no attribute 'split'

Diagnosis:
==========
The crash is a result of an optional 'qop' value missing from the 
'WWW-Authenticate' header.

This bug was introduced in changes for issue 38686.

----------
components: Library (Lib)
messages: 361330
nosy: Stephen Balousek
priority: normal
severity: normal
status: open
title: Request fails when 'WWW-Authenticate' header for Digest Authentication 
does not contain 'qop'
type: crash
versions: Python 3.8, Python 3.9

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue39548>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to