[New-bugs-announce] [issue39548] Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop'
Stephen Balousek
report at bugs.python.org
Mon Feb 3 18:31:29 EST 2020
New submission from Stephen Balousek <stephen at balousek.net>:
When making an HTTP request using an opener with an attached HTTPDigestAuthHandler, the request causes a crash when the returned 'WWW-Authenticate' header for the 'Digest' domain does not return the optional 'qop' value.
Response headers:
=================
Content-Type: application/json
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline';img-src 'self' data:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 600
WWW-Authenticate: Digest realm="ServiceManager", nonce="1580815098100956"
WWW-Authenticate: Basic realm="ServiceManager", charset="UTF-8"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Expires: 0
Pragma: no-cache
Crash:
======
Error: Exception: 'NoneType' object has no attribute 'split'
Traceback (most recent call last):
...
File "/home/sbalousek/bin/restap.py", line 1317, in RunTest
status, payload, contentType = ExecuteRequest(baseUrl, test, tap);
File "/home/sbalousek/bin/restap.py", line 1398, in ExecuteRequest
response = opener.open(request, payload, timeout);
File "/usr/lib/python3.8/urllib/request.py", line 523, in open
response = meth(req, response)
File "/home/sbalousek/bin/restap.py", line 1065, in http_response
return self.process_response(request, response, HTTPErrorProcessor.http_response);
File "/home/sbalousek/bin/restap.py", line 1056, in process_response
return handler(self, request, response);
File "/usr/lib/python3.8/urllib/request.py", line 632, in http_response
response = self.parent.error(
File "/usr/lib/python3.8/urllib/request.py", line 555, in error
result = self._call_chain(*args)
File "/usr/lib/python3.8/urllib/request.py", line 494, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 1203, in http_error_401
retry = self.http_error_auth_reqed('www-authenticate',
File "/usr/lib/python3.8/urllib/request.py", line 1082, in http_error_auth_reqed
return self.retry_http_digest_auth(req, authreq)
File "/usr/lib/python3.8/urllib/request.py", line 1090, in retry_http_digest_auth
auth = self.get_authorization(req, chal)
File "/usr/lib/python3.8/urllib/request.py", line 1143, in get_authorization
if 'auth' in qop.split(','):
AttributeError: 'NoneType' object has no attribute 'split'
Diagnosis:
==========
The crash is a result of an optional 'qop' value missing from the 'WWW-Authenticate' header.
This bug was introduced in changes for issue 38686.
----------
components: Library (Lib)
messages: 361330
nosy: Stephen Balousek
priority: normal
severity: normal
status: open
title: Request fails when 'WWW-Authenticate' header for Digest Authentication does not contain 'qop'
type: crash
versions: Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39548>
_______________________________________
More information about the New-bugs-announce
mailing list