diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2019-11-22 15:38:37 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-22 15:38:37 -0800 |
| commit | 07432c33a0cab9d40ec71b274ec4bca5c57ca6e9 (patch) | |
| tree | 12136ee02cc2fc12cb7d1dd05b7d2f8192311810 | |
| parent | c58a8116475fc9e90fe87b150cde4e535173ec1c (diff) | |
| download | cpython-git-07432c33a0cab9d40ec71b274ec4bca5c57ca6e9.tar.gz | |
bpo-38686: fix HTTP Digest handling in request.py (GH-17045)
* fix HTTP Digest handling in request.py
There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
> qop-options = "qop" "=" <"> 1GH-qop-value <">
> qop-value = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server. The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection
This is description confirmed by the definition of the [//n//]`GH-`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.
When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.
* 📜🤖 Added by blurb_it.
* bpo-38686 review fix: remember why.
* fix trailing space in Lib/urllib/request.py
Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit 14a89c47983f2fb9e7fdf33c769e622eefd3a14a)
Co-authored-by: PypeBros <PypeBros@users.noreply.github.com>
| -rw-r--r-- | Lib/urllib/request.py | 6 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst | 1 |
2 files changed, 5 insertions, 2 deletions
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index 37b2548628..1ec484ed24 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -1143,7 +1143,9 @@ class AbstractDigestAuthHandler: A2 = "%s:%s" % (req.get_method(), # XXX selector: what about proxies and full urls req.selector) - if qop == 'auth': + # NOTE: As per RFC 2617, when server sends "auth,auth-int", the client could use either `auth` + # or `auth-int` to the response back. we use `auth` to send the response back. + if 'auth' in qop.split(','): if nonce == self.last_nonce: self.nonce_count += 1 else: @@ -1151,7 +1153,7 @@ class AbstractDigestAuthHandler: self.last_nonce = nonce ncvalue = '%08x' % self.nonce_count cnonce = self.get_cnonce(nonce) - noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, H(A2)) + noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, 'auth', H(A2)) respdig = KD(H(A1), noncebit) elif qop is None: respdig = KD(H(A1), "%s:%s" % (nonce, H(A2))) diff --git a/Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst b/Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst new file mode 100644 index 0000000000..7a419ff1e3 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2019-11-06-15-26-15.bpo-38686.HNFBce.rst @@ -0,0 +1 @@ +Added support for multiple ``qop`` values in :class:`urllib.request.AbstractDigestAuthHandler`.
\ No newline at end of file |