Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop' #83729

Closed
sbalousek mannequin opened this issue Feb 3, 2020 · 4 comments
Assignees
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@sbalousek
Copy link
Mannequin

sbalousek mannequin commented Feb 3, 2020

BPO 39548
Nosy @orsenthil, @miss-islington, @sbalousek
PRs
  • bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth #18338
  • [3.7] bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338) #18711
  • [3.8] bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338) #18712
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/orsenthil'
    closed_at = <Date 2020-02-29.21:25:11.484>
    created_at = <Date 2020-02-03.23:31:29.049>
    labels = ['3.8', '3.7', 'library', '3.9', 'type-crash']
    title = "Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop'"
    updated_at = <Date 2020-02-29.21:25:11.484>
    user = 'https://github.com/sbalousek'

    bugs.python.org fields:

    activity = <Date 2020-02-29.21:25:11.484>
    actor = 'orsenthil'
    assignee = 'orsenthil'
    closed = True
    closed_date = <Date 2020-02-29.21:25:11.484>
    closer = 'orsenthil'
    components = ['Library (Lib)']
    creation = <Date 2020-02-03.23:31:29.049>
    creator = 'Stephen Balousek'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 39548
    keywords = ['patch']
    message_count = 4.0
    messages = ['361330', '363012', '363014', '363015']
    nosy_count = 3.0
    nosy_names = ['orsenthil', 'miss-islington', 'Stephen Balousek']
    pr_nums = ['18338', '18711', '18712']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'crash'
    url = 'https://bugs.python.org/issue39548'
    versions = ['Python 3.7', 'Python 3.8', 'Python 3.9']

    @sbalousek
    Copy link
    Mannequin Author

    sbalousek mannequin commented Feb 3, 2020

    When making an HTTP request using an opener with an attached HTTPDigestAuthHandler, the request causes a crash when the returned 'WWW-Authenticate' header for the 'Digest' domain does not return the optional 'qop' value.

    Response headers:
    =================
    Content-Type: application/json
    Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline';img-src 'self' data:
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 600
    WWW-Authenticate: Digest realm="ServiceManager", nonce="1580815098100956"
    WWW-Authenticate: Basic realm="ServiceManager", charset="UTF-8"
    Cache-Control: max-age=0, no-cache, no-store, must-revalidate
    Expires: 0
    Pragma: no-cache

    Crash:
    ======

    Error:   Exception: 'NoneType' object has no attribute 'split'
    Traceback (most recent call last):
    ...
      File "/home/sbalousek/bin/restap.py", line 1317, in RunTest
        status, payload, contentType = ExecuteRequest(baseUrl, test, tap);
      File "/home/sbalousek/bin/restap.py", line 1398, in ExecuteRequest
        response    = opener.open(request, payload, timeout);
      File "/usr/lib/python3.8/urllib/request.py", line 523, in open
        response = meth(req, response)
      File "/home/sbalousek/bin/restap.py", line 1065, in http_response
        return self.process_response(request, response, HTTPErrorProcessor.http_response);
      File "/home/sbalousek/bin/restap.py", line 1056, in process_response
        return handler(self, request, response);
      File "/usr/lib/python3.8/urllib/request.py", line 632, in http_response
        response = self.parent.error(
      File "/usr/lib/python3.8/urllib/request.py", line 555, in error
        result = self._call_chain(*args)
      File "/usr/lib/python3.8/urllib/request.py", line 494, in _call_chain
        result = func(*args)
      File "/usr/lib/python3.8/urllib/request.py", line 1203, in http_error_401
        retry = self.http_error_auth_reqed('www-authenticate',
      File "/usr/lib/python3.8/urllib/request.py", line 1082, in http_error_auth_reqed
        return self.retry_http_digest_auth(req, authreq)
      File "/usr/lib/python3.8/urllib/request.py", line 1090, in retry_http_digest_auth
        auth = self.get_authorization(req, chal)
      File "/usr/lib/python3.8/urllib/request.py", line 1143, in get_authorization
        if 'auth' in qop.split(','):
    AttributeError: 'NoneType' object has no attribute 'split'

    Diagnosis:
    ==========
    The crash is a result of an optional 'qop' value missing from the 'WWW-Authenticate' header.

    This bug was introduced in changes for bpo-38686.

    @sbalousek sbalousek mannequin added 3.8 (EOL) end of life 3.9 only security fixes stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump 3.7 (EOL) end of life labels Feb 3, 2020
    @orsenthil
    Copy link
    Member

    New changeset 5e260e0 by Stephen Balousek in branch 'master':
    bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
    5e260e0

    @miss-islington
    Copy link
    Contributor

    New changeset cf347f3 by Miss Islington (bot) in branch '3.7':
    bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
    cf347f3

    @miss-islington
    Copy link
    Contributor

    New changeset e4686b7 by Miss Islington (bot) in branch '3.8':
    bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)
    e4686b7

    @orsenthil orsenthil self-assigned this Feb 29, 2020
    @orsenthil orsenthil self-assigned this Feb 29, 2020
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants