[issue1025540] urllib2 http auth
Senthil
report at bugs.python.org
Tue Dec 23 04:31:42 CET 2008
Senthil <orsenthil at gmail.com> added the comment:
This issue makes a request to implement, plain-text inurl password
authentication like "https://user:password@host:port/ for HTTP Basic
Authentication. " for urllib2.
As per rfc3986, this is strongly discouraged and is deprecated.
See the section: 3.2.1. User Information
Use of the format "user:password" in the userinfo field is
deprecated. Applications should not render as clear text any data
after the first colon (":") character found within a userinfo
subcomponent unless the data after the colon is the empty string
(indicating no password). Applications may choose to ignore or
reject such data when it is received as part of a reference and
should reject the storage of such data in unencrypted form. The
passing of authentication information in clear text has proven to be
a security risk in almost every case where it has been used.
Also, this was reported on 2004-09-10! We do not have any other similar
requests inline. AFAIK, current urllib2 will authenticate and fetch the
documents with HTTP Basic authentication when password is passed along
in the url like the case specifies. I do not what was the case in 2004.
My conclusion for this request is to Close it as either "Invalid" or
"Wont Fix".
----------
nosy: +orsenthil
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue1025540>
_______________________________________
More information about the Python-bugs-list
mailing list