Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requests.post() adds unwanted Authorization: Basic header with anonymous:no@mail.dom #927

Closed
temoto opened this issue Nov 7, 2012 · 6 comments
Closed

requests.post() adds unwanted Authorization: Basic header with anonymous:no@mail.dom #927

temoto opened this issue Nov 7, 2012 · 6 comments

Comments

@temoto
Copy link

temoto commented Nov 7, 2012 

import requests
requests.post("http://localhost:9091/", data="foobar")

$ nc -l -p 9091
POST / HTTP/1.1
Host: localhost:9091
Content-Length: 6
Authorization: Basic YW5vbnltb3VzOm5vQG1haWwuZG9t
Accept-Encoding: gzip, deflate, compress
Accept: */*
User-Agent: python-requests/0.14.2 CPython/2.7.3 Linux/3.6.0-1-ARCH

foobar^C

$ base64 -d
YW5vbnltb3VzOm5vQG1haWwuZG9t
anonymous:no@mail.dom

WTF this is coming from? So after poking a bit, i found that it's from my .netrc: default login anonymous password no@mail.dom

Okay, so i have to disable automatic netrc support somehow.

Please, tell me one thing, how does it correspond to #44 where auth is explicitly set, but no header is sent and here no auth is set but header is sent?
@kennethreitz
Copy link
Contributor

Interesting. I'd remove that from your .netrc immediately, fwiw :)

Also, there's a config you can set to diasble this: trust_env=False

@temoto
Copy link
Author

temoto commented Nov 7, 2012

Thank you. I did not touch .netrc in years, i think this line was useful for browsing public FTP.

Still it is not clear why in one case requests does not send explicitly set auth headers on premise that exact algorithm (Basic, Digest, etc) is not known beforehand. Does .netrc somehow imply Basic authorization?

@Lukasa
Copy link
Member

Lukasa commented Nov 23, 2012

If you think about the Requests API this actually makes sense. Requests special-cases Basic Auth so you can just pass a naked tuple to the auth parameter, but otherwise you need to pass a class that implements a few special methods. There's no provision for you to pass anything to the auth parameter that means "Use my .netrc file with this authentication type". Maybe there should be, but right now, if you haven't told Requests what auth type to use, it will assume you mean Basic Auth, whether you use a tuple or .netrc.

Does that answer your question?

@sigmavirus24
Copy link
Contributor

@Lukasa there shouldn't be such a parameter ;)

@kennethreitz
Copy link
Contributor

You shouldn't have that line in your .netrc. If it's extremely common, we can consider special-casing it.

@temoto
Copy link
Author

temoto commented Nov 24, 2012

@Lukasa Yes, it does, thank you for thorough answer. And i just tested, the #44 would be satisfied now that requests actually send Basic right away. Everything is consistent now.

Thank you.

@temoto temoto closed this as completed Nov 24, 2012
@migurski migurski mentioned this issue May 26, 2014
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@temoto @kennethreitz @sigmavirus24 @Lukasa