[Patches] [ python-Patches-1470846 ] urllib2 ProxyBasicAuthHandler broken
SourceForge.net
noreply at sourceforge.net
Sat Apr 15 19:59:04 CEST 2006
Patches item #1470846, was opened at 2006-04-15 15:22
Message generated for change (Comment added) made by jjlee
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1470846&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Library (Lib)
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: John J Lee (jjlee)
Assigned to: Nobody/Anonymous (nobody)
Summary: urllib2 ProxyBasicAuthHandler broken
Initial Comment:
urllib2.ProxyBasicAuthHandler has been broken since
revision 38092 back in December 2004 (unlike the
alternative, using a userinfo URL component in the
string passed to ProxyHandler, e.g.
"joe:password at example.com", which works fine ATM).
There are two problems: First, with a proxy, you're
always authenticating yourself for the whole proxy, not
just for a specific path. Second, you're
authenticating yourself to the proxy, not to the HTTP
server. The ProxyBasicAuthHandler subclass dutifully
passes in the right thing for the host argument, but
AbstractBasicAuthHandler ignores it, which means that
it never finds the password -- e.g. if you're trying to
connect to http://python.org/dev through myproxy.com,
it'll be looking for a username/password for
http://python.org/dev instead of the needed myproxy.com.
Since fixing this entails the host argument to
http_error_auth_reqed no longer being ignored,
HTTPBasicAuthHandler must now pass the full URL, which
means AbstractBasicAuthHandler must accept either an
authority or a URL. ProxyBasicAuthHandler could also
supply a full URL like "http://proxy.example.com/", but
the 'host' argument prior to December 2004 was not
ignored, and accepted a hostname (!), so we should keep
that working rather than insisting on a full URL. I
also documented this behaviour.
The patch fixes the bug, adds several new tests, and
updates and fixes mis-named method documentation for
http_error_auth_reqed, and a typo in the examples.
Note one of the tests in the attached patch relies on a
currently non-existent URL at python.org requiring
basic authorization (not *proxy* basic auth in this
test, just basic auth). So I guess the code in the
test_urllib2net.py patch hunk has to be commented out
or something until somebody adds the necessary few
lines of Apache config.
Would also be nice to add a functional test for Proxy
auth itself. I'm sure python.org doesn't want to be
the world's proxy, but something could be configured
that does the basic auth dance then responds with 403.
What would be most suitable: something like
SimpleHTTPServer sitting behind Apache, some mod_python
magic...??
----------------------------------------------------------------------
>Comment By: John J Lee (jjlee)
Date: 2006-04-15 18:59
Message:
Logged In: YES
user_id=261020
I should have mentioned in my initial comment that this
patch also fixes bug 900898 (an HTTPPasswordMgr bug that
arises when an authority with a port is passed to
.find_user_password()). The patch includes tests for this
issue, but I've just added a couple more: patch
"proxy_path_2.patch" includes those new tests and supercedes
"proxy_path.patch".
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1470846&group_id=5470
More information about the Patches
mailing list