[ python-Bugs-944082 ] urllib2 authentication mishandles empty password

SourceForge.net noreply at sourceforge.net
Fri Jun 18 11:54:23 EDT 2004 

Bugs item #944082, was opened at 2004-04-28 19:02
Message generated for change (Comment added) made by mkc
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=944082&group_id=5470

Category: Python Library
Group: None
Status: Closed
Resolution: Fixed
Priority: 5
Submitted By: Jacek Trzmiel (yangir)
Assigned to: Nobody/Anonymous (nobody)
Summary: urllib2 authentication mishandles empty password

Initial Comment:
If example.org requires authentication, then following 
code:

host = 'example.org'
user = 'testuser'
password = ''
url = 'http://%s/' % host
authInfo = urllib2.HTTPPasswordMgrWithDefaultRealm()
authInfo.add_password( None, host, user, password )
authHandler = urllib2.HTTPBasicAuthHandler( authInfo )
opener = urllib2.build_opener( authHandler )
urlFile = opener.open( url )
print urlFile.read()

will die by throwing HTTPError 401:

  File "/usr/lib/python2.3/urllib2.py", line 419, in 
http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 401: Authorization Required

even if authenticating with 'testuser' and empty 
password is valid.


Empty password is mishandled (i.e. authentication with 
empty password string is ignored) in 
AbstractBasicAuthHandler.retry_http_basic_auth

def retry_http_basic_auth(self, host, req, realm):
    user,pw = self.passwd.find_user_password(realm, 
host)
    if pw: 
    [...]


It can be fixed by changing:
    if pw:
to
    if pw is not None:



Python 2.3.2 (#1, Oct  9 2003, 12:03:29) 
[GCC 3.3.1 (cygming special)] on cygwin
Type "help", "copyright", "credits" or "license" for more 
information.


----------------------------------------------------------------------

Comment By: Mike Coleman (mkc)
Date: 2004-06-18 10:54

Message:
Logged In: YES 
user_id=555

The change that was made here probably fixes the bug, but it
looks like it would be better to make the test "user is not
None" rather than "pw is not None", since there are two
other places in the code that check the output of this
function by checking the None-ness of user and no code that
checks the None-ness of pw.  (A comment that 'user' is what
is to be checked would also be useful.)

----------------------------------------------------------------------

Comment By: Martin v. Löwis (loewis)
Date: 2004-05-05 20:41

Message:
Logged In: YES 
user_id=21627

This is fixed with patch #944110.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=944082&group_id=5470

More information about the Python-bugs-list mailing list