Hello Olaf, you write:
>> On Jan 12, 2018, at 6:54 PM, Harald Jörg <harald.jo...@arcor.de> wrote: >> >> Hello libwww, >> >> I've encountered a situation where browsers "just work" but >> LWP::UserAgent fails. >> [...] > > Thanks very much for this detailed explanation of what you've been > seeing. I don't really know this part of the code well enough to be > able to comment on this right now, but there was a recent pull request > which deals with authentication. Does > https://github.com/libwww-perl/libwww-perl/pull/255/files fix anything > for you? > > If it does or it doesn't, it might be worth commenting on the existing > pull request. Thanks for the pointer. Unfortunately that pull request tries to fix another issue which isn't closely related to my own. The pull request does, however, introduce yet another of these unconditional translations of commas to semicolons, which is somewhat foolhardy but doesn't do extra damage. I think I can prepare a fix to make authentication RFC compliant, but since I haven't working in the guts of LWP since 10+ years this would also be foolhardy :) Some more details on the handling of auth headers: If I have a header like this: WWW-Authenticate: Basic realm="Hello, world" ...then LWP::UA converts this value to 'Basic realm="Hello; world"'. This can't be right. Quoted strings should be retained as they are. The conversion is done with the intent to fit the specs of HTTP::Headers::Util::split_header_words, which works quite fine for headers which aren't WWW-Authenticate. But WWW-Authenticate is "special", to say it politely. The example in https://tools.ietf.org/html/rfc7235#section-4.1 reads: WWW-Authenticate: Newauth realm="apps", type=1, title="Login to \"apps\"", Basic realm="simple" So, the comma is not only used to separate auth-params within one authentication scheme, it also separates two different authentication schemes. The RFC says, encouragingly, User agents are advised to take special care in parsing the field value, as it might contain more than one challenge, and each challenge can contain a comma-separated list of authentication parameters. Furthermore, the header field itself can occur multiple times. Today, LWP::UA wouldn't be able to process the RFC example correctly. The params of the header are parsed into a hash, so that the second realm clobbers the first. With the pull request it would be able to process the following equivalent headers quite fine: WWW-Authenticate: Newauth realm="apps", type=1, title="Login to \"apps\"" WWW-Authenticate: Basic realm="simple" The options are: Either we take special care in parsing the field value, or we just live with the fact that a comma in the realm might cause issues, like we did in the last 20 years. Ignorance is bliss :) -- Cheers, haj
