Fix URI decoding for auth_digest #1717
Conversation
|
I did some digging into the changes for 14.2, but according to the PR and the changelog, that would affect basic auth, not digest auth. How is that change implicated? |
|
Please consider dda3364 (Add support for UTF-8 in auth_digest tool), which introduced the change I am talking about. I suppose the Changelog is just not up complete. In the PR #1683, dda3364 and three other changes to auth_digest are listed among the changes on 22nd April. |
|
Thanks for the clarification. Now that I understand it a bit better, I'm pretty sure this change isn't the right one. I'm not sure what the right change is, though. Let's continue the discussion in the ticket. |
|
+1 I also felt like this is a weird place for trying to fix such issue. |
|
Well, if it fixes a regression, would it not be sensible to accept a hacky fix first and search for the one true way later? |
|
I'm really grateful that you spend efforts trying to figure this out and help us. We are short on maintainers and are really lucky to have such people like you contributing to the project and making it better! This change, however, doesn't fix a regression, it monkey-patches what's related/unique to your concrete application, not CherryPy. And it patches the wrong place meaning that something in someone else's workflow gets broken. It's dangerous/harmful to throw in patches like this (even with no tests covering this case), this will likely cause another regression, which would be much harder to identify and eliminte. As maintainers, @jaraco and I are responsible for the changes we accept and we do our best to avoid mistakes, which might be hard to fix in future. We have to weight every decision we make to ensure we don't introduce sudden regressions, don't break pre-decided design considerations, keep the code base in a good shape. I hope that this issue gets fixed soon and as a quick workaround for your app I may suggest you to copy-paste this tool into your app, do whatever temporary patches necessary and use it instead of a built-in tool and then switch back to native tool once the fix is released. Have a nice day and again thank you for your contributions! |
Codecov Report
@@ Coverage Diff @@
## master #1717 +/- ##
==========================================
- Coverage 80.81% 79.45% -1.36%
==========================================
Files 105 105
Lines 13566 13563 -3
==========================================
- Hits 10963 10777 -186
- Misses 2603 2786 +183 |
decoding URIs in auth header breaks e.g. if it contains slashes
|
I've added changes, which should completely eliminate the issue and take into account the format in which browsers send unicode digest auth |
webknjaz
added
bug
reproducer: present
|
Thank you very much for unmonkeying and fixing this! |
|
Could you please check this across browsers, at least FireFox, because I don't have one on the current machine. |
|
Works for me on Firefox and Chrome; thank you! |
|
Great! Let's wait till @jaraco validates it as well then :) |
| k: tonative(v, enc) | ||
| for k, v in param_map.items() | ||
| } | ||
| return tonative(ntob(tonative(header, 'latin1'), 'latin1'), enc) |
There was a problem hiding this comment.
This code is clearly not optimal or intuitive... and int introduces two additional deprecated calls. I want to clean this up.
There was a problem hiding this comment.
Yeah, I tried that. But it's a can of worms, there's too many moving parts. Let's do refactoring separately from the bug fix, please.
decoding URIs in auth header breaks e.g. if it contains slashes
What kind of change does this PR introduce?
What is the related issue number (starting with
#)#1716
Authentication loop, see #1716
Authentication, as before 14.2
Other information:
Checklist: