urllib2 basic auth handler doesn't handle realm names in single-quoted strings

[varmaa]

BPO	2136
Nosy	@birkenfeld
Files	urllib2_single_quoted_auth_fix.patch: Patch to fix the bug described in this issue.

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/birkenfeld'
closed_at = <Date 2008-03-21.19:54:07.063>
created_at = <Date 2008-02-18.01:02:46.989>
labels = ['type-bug', 'library']
title = "urllib2 basic auth handler doesn't handle realm names in single-quoted strings"
updated_at = <Date 2008-03-21.19:54:07.061>
user = 'https://bugs.python.org/varmaa'

bugs.python.org fields:

activity = <Date 2008-03-21.19:54:07.061>
actor = 'georg.brandl'
assignee = 'georg.brandl'
closed = True
closed_date = <Date 2008-03-21.19:54:07.063>
closer = 'georg.brandl'
components = ['Library (Lib)']
creation = <Date 2008-02-18.01:02:46.989>
creator = 'varmaa'
dependencies = []
files = ['9455']
hgrepos = []
issue_num = 2136
keywords = ['patch']
message_count = 3.0
messages = ['62513', '64123', '64267']
nosy_count = 3.0
nosy_names = ['georg.brandl', 'jafo', 'varmaa']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue2136'
versions = ['Python 2.6']

[varmaa]

This isn't necessarily a bug in Python--it's really a bug in websites
that produce what are technically malformed WWW-Authenticate headers, I
believe.

According to RFC 2617, a WWW-Authenticate header should be of the form:

WWW-Authenticate: Basic realm="Private"

However, some websites, produce the header using single-quotes:

WWW-Authenticate: Basic realm='Private'

The Firefox browser deals with this gracefully, but Python's urllib2
does not; specifically, an AbstractBasicAuthHandler does not recognize
the second type of header as an auth header at all, and as a result it's
impossible to access sites protected with such headers.

The attached patch alters the behavior of the class to deal with this
situation gracefully, and also adds a unit test to ensure that the
functionality works.

Implementation notes: This isn't the most well-engineered fix in the
world; in particular, I didn't change the regex used to parse
WWW-Authenticate headers, in part because (A) such a regex was difficult
to compose and (B) it would've been quite difficult to read, and I
didn't want to inadvertently mess up the current behavior of the code.

[jafo]

This patch looks good to me, but I don't know the implications of this.
It seems reasonable to me, but I'd defer to an HTTP lawyer.

[birkenfeld]

Huh, I'm not really an HTTP expert either :)
But this seems reasonable to me. Implemented this (with a slightly
different patch) in r61711.