[New-bugs-announce] [issue13642] urllib incorrectly quotes username and password in https basic auth

Joonas Kuorilehto report at bugs.python.org
Tue Dec 20 16:03:45 CET 2011 

New submission from Joonas Kuorilehto <oh8gdv at gmail.com>:

Reproduction:

>>> import urllib
>>> urllib.urlopen("https://example.com/")
Enter username for Test Site at example.com: user
Enter password for user in Test Site at example.com: top secret
Enter username for Test Site at example.com:
# If the correct password contains spaces, nothing will be accepted.

The problem is that the password in basic auth is URI quoted and then base64 encoded. The password should not be quoted.

RFC 2617:
      userid      = *<TEXT excluding ":">
      password    = *TEXT
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>

I traced the problem with Pydev to urllib retry_https_basic_auth where I can see that
  user = "user"
  passwd = "my secret password"

After that, the path is like this:
self.retry_https_basic_auth:
  self.open(fullurl="https://user:my%20%secret%20password@example.com/")
  self.open_https(url="://user:my%20%secret%20password at example.com/")
  => in open_https:
    host, selector = splithost(url)
    user_passwd, host = splituser(host)
    host = unquote(host)

user_passwd is not unquoted, host is.

I found closely related Issue2244 - but did not confirm where this bug has been introduced. I added some people from 2244 to this issue. I hope that is ok.

I think a test should be added that covers usernames and passwords with spaces to avoid further regressions. The reproduction code given works with Python 2.4.3 urllib. This probably also affects python3, did not try.

----------
components: Library (Lib)
messages: 149915
nosy: carljm, joneskoo, orsenthil
priority: normal
severity: normal
status: open
title: urllib incorrectly quotes username and password in https basic auth
type: behavior
versions: Python 2.7

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13642>
_______________________________________

More information about the New-bugs-announce mailing list