urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr

[jk7]

BPO	900898
Nosy	@birkenfeld
Files	urllib2_bug.py: Explanation of the bug, and proposed fix. authbugsample.py

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2006-04-30.08:22:35.000>
created_at = <Date 2004-02-20.06:51:04.000>
labels = ['library']
title = 'urllib2 AuthHandlers can pass a bad host to HTTPPasswordMgr'
updated_at = <Date 2006-04-30.08:22:35.000>
user = 'https://bugs.python.org/jk7'

bugs.python.org fields:

activity = <Date 2006-04-30.08:22:35.000>
actor = 'georg.brandl'
assignee = 'none'
closed = True
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2004-02-20.06:51:04.000>
creator = 'jk7'
dependencies = []
files = ['1209', '1210']
hgrepos = []
issue_num = 900898
keywords = []
message_count = 6.0
messages = ['20066', '20067', '20068', '20069', '20070', '20071']
nosy_count = 4.0
nosy_names = ['georg.brandl', 'jjlee', 'bkc', 'jk7']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue900898'
versions = ['Python 2.3']

[jk7]

If the Request object being used returns a URI with a
port included (e.g. http://www.mysite.com:7777/index.html)

If Request.get_full_url() or Request.get_host() returns
a URI or host with a port included (e.g.
http://www.mysite.com:7777/index.html or
www.mysite.com:7777, respectively), and authentication
(proxy or http, basic only) is required, then the
respective AuthHandlers (HTTPBasicAuthHandler,
ProxyBasicAuthHandler) end up calling
http_error_auth_reqed with a host looking like
"www.mysite.com:7777". http_error_auth_reqed then
precedes to call retry_http_basic_auth with the same
host parameter, which in turn calls
HTTPPasswordMgr.find_user_password. The problem is
that find_user_password appears to expect a full URI,
and attempts to reduce it to just a host, by calling
reduce_uri. If a bare host with a port is passed (like
"www.mysite.com:7777"), then reduce_uri returns just
the port number in the netloc position - which
find_user_password then attempts to compare against the
correct host name you've stored in your HTTPPasswordMgr
object along with your user name and password. I
believe either find_user_password should not reduce the
host, or the Auth Handler objects should pass full
hostnames to find_user_password.

[jk7]

Logged In: YES
user_id=979977

I've made up a file with some source code and comments that
will hopefully clarify what I posted. I will post an
example of the problem a bit later today.

[jk7]

Logged In: YES
user_id=979977

Here's a sample of the problem...

[bkc]

Logged In: YES
user_id=4631

I ran into this problem today with Python 2.3.3 on RedHat 9.
I'm using port numbers in my URLs, and I found that the Auth
Handler did NOT correctly find the userid and password
registered.

ie:

    authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm()
    authinfo.add_password(None, host, userid, password)
    authHandler = urllib2.HTTPBasicAuthHandler(authinfo)
    
    opener = urllib2.build_opener(authHandler)

where host = "http://localhost:7993"

I've tested the proposed fix shown in urllib2_bug.py at line 31,
to whit, this:

class HTTPBasicAuthHandlerF(AbstractBasicAuthHandler,
BaseHandler):

    auth_header = 'Authorization'

    def http_error_401(self, req, fp, code, msg, headers):
        host = req.get_full_url()
        return self.http_error_auth_reqed('www-authenticate',
                                          host, req, headers)

This appears to have corrected the problem.

test_urllib2.py and test_urllib.py both pass after making
this change. I did not test the ProxyBasicAuthHandler change
(I don't have a proxy)

[jjlee]

Logged In: YES
user_id=261020

This is fixed by patch 1470846, which includes tests and doc
fix / update (though I neglected to mention that the patch
fixes this problem in the initial patch comment; I'll
rectify that now).

[birkenfeld]

Logged In: YES
user_id=849994

Fixed with commit of patch 1470846.