urllib2 digest auth totally broken

[aaronsw]

BPO	979407
Nosy	@birkenfeld, @orsenthil, @vstinner, @tiran, @mmaker
Dependencies	bpo-944396: urllib2 doesn't handle username/password in url

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2013-07-07.14:40:51.408>
created_at = <Date 2004-06-25.01:16:37.000>
labels = ['easy', 'type-bug', 'library']
title = 'urllib2 digest auth totally broken'
updated_at = <Date 2013-07-07.14:40:51.406>
user = 'https://bugs.python.org/aaronsw'

bugs.python.org fields:

activity = <Date 2013-07-07.14:40:51.406>
actor = 'christian.heimes'
assignee = 'none'
closed = True
closed_date = <Date 2013-07-07.14:40:51.408>
closer = 'christian.heimes'
components = ['Library (Lib)']
creation = <Date 2004-06-25.01:16:37.000>
creator = 'aaronsw'
dependencies = ['944396']
files = []
hgrepos = []
issue_num = 979407
keywords = ['easy']
message_count = 6.0
messages = ['60522', '60523', '182136', '182154', '192438', '192564']
nosy_count = 9.0
nosy_names = ['aaronsw', 'georg.brandl', 'jjlee', 'orsenthil', 'vstinner', 'christian.heimes', 'maker', 'asandvig', 'senko']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue979407'
versions = ['Python 3.1', 'Python 2.7', 'Python 3.2']

[aaronsw]

The urllib2 digest auth handler is totally broken.

1. It looks for an "Authorization" header instead of "WWW-
   Authenticate" (Authorization is the header you send back).

2. It thinks passwords in the URL are port names.

3. Even if you get around all that, it just doesn't work. It seems
   to encrypt the thing wrongly and get itself into an infinite loop
   sending the wrong answer back again and again, being rejected
   each time.

[birkenfeld]

Logged In: YES
user_id=849994

For discussion about number 2 above, see bpo-944396.

[mmaker]

Isn't this issue fixed and tested on Lib/test/test_urllib2.py:1304?

[orsenthil]

let me check that.

[senko]

Checked with 3.4.0 alpha, works fine. Apart from the tests mentioned, I used the following script to check digest auth:

    from urllib import request

    url = 'http://httpbin.org/digest-auth/auth/user/passwd'
    req = request.Request(url)

    password_manager = request.HTTPPasswordMgrWithDefaultRealm()
    password_manager.add_password(None, url, 'user', 'passwd')

    auth_manager = request.HTTPDigestAuthHandler(password_manager)
    opener = request.build_opener(auth_manager)

    request.install_opener(opener)
    handler = request.urlopen(req)

assert handler.getcode() == 200

[tiran]

The bug has been fixed a while ago. Python 2.7 as well as Python 3.x have tests to verify digest auth.

Farewell Aaron...