[issue23516] requests: parse_url() mishandles special characters when the URL specifies authentication credentials
Demian Brecht
report at bugs.python.org
Wed Feb 25 02:25:08 CET 2015
Demian Brecht added the comment:
> Sounds like this might be in a third-party module
+1. urllib3.url_parse doesn't make use of the standard library.
> userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
This leads me to believe that using something like this might work:
from urllib.parse import quote
userinfo = '{}:{}'.format(quote(user), quote(password))
That said, there's also another relevant block that should be of note in the RFC:
Use of the format "user:password" in the userinfo field is
deprecated. Applications should not render as clear text any data
after the first colon (":") character found within a userinfo
subcomponent unless the data after the colon is the empty string
(indicating no password). Applications may choose to ignore or
reject such data when it is received as part of a reference and
should reject the storage of such data in unencrypted form. The
passing of authentication information in clear text has proven to be
a security risk in almost every case where it has been used.
In any event, this issue should be closed as it's not related to the standard library.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23516>
_______________________________________
More information about the Python-bugs-list
mailing list