New submission from Thomas Parslow :
The HTTP spec specifies that the 401 (Unauthorized) response can be accompanied
by multiple challenges, either as separate WWW-Authenticate headers or in a
single WWW-Authenticate header separated by commas. The client should always
pick the strongest supported which in the case of urllib is "digest". Unknown
challenge types (for urllib that's anything but "basic" and "digest") should be
ignored as long as there is a known one as well.
This is my first patch submission to cpython so please do point out anything
I've done wrong! I'd like do more work on cpython so best to nip any bad habits
in the bud!
In this patch I've re-written the parsing code to support this. I've tried to
re-use existing code as much as possible, so I've based the new parser on the
existing parse_http_list which I had to extend so that it can be used to parse
single quoted strings. These single quoted strings are not valid for the HTTP
spec but apparently they do appear in the wild and the existing implementation
allowed them so I've continued to allow them. I've also kept the existing
behaviour with regards to unquoted realm values, a warning is raised but
otherwise they are allowed. The requirement of raising the warning added a
slightly awkward bit to the code, but I assumed there was a good reason for
that warning being there so I kept it in.
--
components: Library (Lib)
files: urllib-multi-authenticate-challenges.patch
keywords: patch
messages: 165132
nosy: almost
priority: normal
severity: normal
status: open
title: urllib: Support for multiple WWW-Authenticate headers and/or multiple
challenges per header
type: behavior
versions: Python 3.4
Added file:
http://bugs.python.org/file26337/urllib-multi-authenticate-challenges.patch
___
Python tracker
<http://bugs.python.org/issue15310>
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
