Skip to content

[3.8] bpo-38686: fix HTTP Digest handling in request.py (GH-17045)#17357

Merged
miss-islington merged 1 commit into
python:3.8from
miss-islington:backport-14a89c4-3.8
Nov 22, 2019
Merged

[3.8] bpo-38686: fix HTTP Digest handling in request.py (GH-17045)#17357
miss-islington merged 1 commit into
python:3.8from
miss-islington:backport-14a89c4-3.8

Conversation

@miss-islington

@miss-islington miss-islington commented Nov 22, 2019

Copy link
Copy Markdown
Contributor
  • fix HTTP Digest handling in request.py

There is a bug triggered when server replies to a request with WWW-Authenticate: Digest where qop="auth,auth-int" rather than mere qop="auth". Having both auth and auth-int is legitimate according to the qop-options rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:

 qop-options       = "qop" "=" <"> 1GH-qop-value <">
 qop-value         = "auth" | "auth-int" | token

qop-options: [...] If present, it is a quoted string of one or more tokens indicating the "quality of protection" values supported by the server. The value "auth" indicates authentication; the value "auth-int" indicates authentication with integrity protection

This is description confirmed by the definition of the [//n//]GH-[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.

When this reply is parsed by get_authorization, request.py only tests for identity with 'auth', failing to recognize it as one of the supported modes the server announced, and claims that "qop 'auth,auth-int' is not supported".

  • 📜🤖 Added by blurb_it.

  • bpo-38686 review fix: remember why.

  • fix trailing space in Lib/urllib/request.py

Co-Authored-By: Brandt Bucher brandtbucher@gmail.com
(cherry picked from commit 14a89c4)

Co-authored-by: PypeBros PypeBros@users.noreply.github.com

https://bugs.python.org/issue38686

* fix HTTP Digest handling in request.py

There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
>      qop-options       = "qop" "=" <"> 1GH-qop-value <">
>      qop-value         = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server.  The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection

This is description confirmed by the definition of the [//n//]`GH-`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.

When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.

* 📜🤖 Added by blurb_it.

* bpo-38686 review fix: remember why.

* fix trailing space in Lib/urllib/request.py

Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit 14a89c4)

Co-authored-by: PypeBros <PypeBros@users.noreply.github.com>
@miss-islington

Copy link
Copy Markdown
Contributor Author

@PypeBros and @orsenthil: Status check is done, and it's a success ✅ .

@miss-islington miss-islington merged commit b9e5547 into python:3.8 Nov 22, 2019
@miss-islington miss-islington deleted the backport-14a89c4-3.8 branch November 22, 2019 23:36
@miss-islington

Copy link
Copy Markdown
Contributor Author

@PypeBros and @orsenthil: Status check is done, and it's a success ✅ .

1 similar comment
@miss-islington

Copy link
Copy Markdown
Contributor Author

@PypeBros and @orsenthil: Status check is done, and it's a success ✅ .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type-bug An unexpected behavior, bug, or error

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants