From 3dc759f2b73cf228f10ef40d76c05c15775df7ea Mon Sep 17 00:00:00 2001
From: PypeBros <PypeBros@users.noreply.github.com>
Date: Mon, 4 Nov 2019 16:16:00 +0100
Subject: [PATCH 1/4] fix HTTP Digest handling in request.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
>      qop-options       = "qop" "=" <"> 1#qop-value <">
>      qop-value         = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server.  The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection

This is description confirmed by the definition of the [//n//]`#`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.

When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.
---
 Lib/urllib/request.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 721c152179e998..673d1d09349214 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1136,7 +1136,7 @@ def get_authorization(self, req, chal):
         A2 = "%s:%s" % (req.get_method(),
                         # XXX selector: what about proxies and full urls
                         req.selector)
-        if qop == 'auth':
+        if 'auth' in qop.split(','):
             if nonce == self.last_nonce:
                 self.nonce_count += 1
             else:
@@ -1144,7 +1144,7 @@ def get_authorization(self, req, chal):
                 self.last_nonce = nonce
             ncvalue = '%08x' % self.nonce_count
             cnonce = self.get_cnonce(nonce)
-            noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, H(A2))
+            noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, 'auth', H(A2))
             respdig = KD(H(A1), noncebit)
         elif qop is None:
             respdig = KD(H(A1), "%s:%s" % (nonce, H(A2)))

From 5ade571778a3c1dbe8c2e027012653049032b7cc Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com>
Date: Wed, 6 Nov 2019 15:26:15 +0000
Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
 =?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst

diff --git a/Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst b/Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst
new file mode 100644
index 00000000000000..7a419ff1e3338e
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst
@@ -0,0 +1 @@
+Added support for multiple ``qop`` values in :class:`urllib.request.AbstractDigestAuthHandler`.
\ No newline at end of file

From 432c7b956df294f2fe1d4532c5b6912aeb954e7a Mon Sep 17 00:00:00 2001
From: PypeBros <PypeBros@users.noreply.github.com>
Date: Fri, 22 Nov 2019 18:12:11 +0100
Subject: [PATCH 3/4] bpo-38686 review fix: remember why.

---
 Lib/urllib/request.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 673d1d09349214..781f165864f25f 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1136,6 +1136,8 @@ def get_authorization(self, req, chal):
         A2 = "%s:%s" % (req.get_method(),
                         # XXX selector: what about proxies and full urls
                         req.selector)
+        # NOTE: As per  RFC 2617, when server sends "auth,auth-int", the client could use either `auth`
+        #     or `auth-int` to the response back. we use `auth` to send the response back. 
         if 'auth' in qop.split(','):
             if nonce == self.last_nonce:
                 self.nonce_count += 1

From 95c6eefd259ba318b4c3efb4b11fc939d9bb2348 Mon Sep 17 00:00:00 2001
From: PypeBros <PypeBros@users.noreply.github.com>
Date: Fri, 22 Nov 2019 20:15:25 +0100
Subject: [PATCH 4/4] fix trailing space in Lib/urllib/request.py

Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
---
 Lib/urllib/request.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 781f165864f25f..3a933d6c50e6eb 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1137,7 +1137,7 @@ def get_authorization(self, req, chal):
                         # XXX selector: what about proxies and full urls
                         req.selector)
         # NOTE: As per  RFC 2617, when server sends "auth,auth-int", the client could use either `auth`
-        #     or `auth-int` to the response back. we use `auth` to send the response back. 
+        #     or `auth-int` to the response back. we use `auth` to send the response back.
         if 'auth' in qop.split(','):
             if nonce == self.last_nonce:
                 self.nonce_count += 1