cpython/Lib/urllib
Miss Islington (bot) 07432c33a0
bpo-38686: fix HTTP Digest handling in request.py (GH-17045)
* fix HTTP Digest handling in request.py

There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
>      qop-options       = "qop" "=" <"> 1GH-qop-value <">
>      qop-value         = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server.  The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection

This is description confirmed by the definition of the [//n//]`GH-`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.

When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.

* 📜🤖 Added by blurb_it.

* bpo-38686 review fix: remember why.

* fix trailing space in Lib/urllib/request.py

Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit 14a89c4798)

Co-authored-by: PypeBros <PypeBros@users.noreply.github.com>
2019-11-22 15:38:37 -08:00
..
__init__.py
error.py bpo-30022: Get rid of using EnvironmentError and IOError (except test… (#1051) 2017-04-16 10:46:38 +03:00
parse.py bpo-27657: Fix urlparse() with numeric paths (GH-661) 2019-10-18 06:24:28 -07:00
request.py bpo-38686: fix HTTP Digest handling in request.py (GH-17045) 2019-11-22 15:38:37 -08:00
response.py Issue #23865: close() methods in multiple modules now are idempotent and more 2015-04-10 13:24:41 +03:00
robotparser.py bpo-35922: Fix RobotFileParser when robots.txt has no relevant crawl delay or request rate (GH-11791) 2019-06-16 00:10:06 -07:00