[New-bugs-announce] [issue4675] urllib's splitpasswd does not accept newline chars in passwords
Mihai Ibanescu
report at bugs.python.org
Tue Dec 16 20:27:12 CET 2008
New submission from Mihai Ibanescu <mihai.ibanescu at gmail.com>:
According to http://www.ietf.org/rfc/rfc2617.txt section 2, in basic
HTTP authentication the password can be any character (including newline).
urllib does the following:
_passwdprog = re.compile('^([^:]*):(.*)$')
That should be changed to:
_passwdprog = re.compile('^([^:]*):(.*)$', re.S)
otherwise newlines will not be caught by the second part of the regex,
and bad things are produced.
For a password with regular chars in it:
> python -c "import urllib; print urllib.splitpasswd('user:ab')"
('user', 'ab')
For a password with a newline:
> python -c "import urllib; print urllib.splitpasswd('user:a\nb')"
('user:a\nb', None)
The expected result should have been ('user', 'a\nb')
----------
components: Library (Lib)
messages: 77919
nosy: mibanescu
severity: normal
status: open
title: urllib's splitpasswd does not accept newline chars in passwords
type: behavior
versions: Python 2.6, Python 3.0
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4675>
_______________________________________
More information about the New-bugs-announce
mailing list