[issue13642] urllib incorrectly quotes username and password in https basic auth

Tue, 20 Dec 2011 07:03:55 -0800 

New submission from Joonas Kuorilehto <oh8...@gmail.com>:

Reproduction:

>>> import urllib
>>> urllib.urlopen("https://example.com/";)
Enter username for Test Site at example.com: user
Enter password for user in Test Site at example.com: top secret
Enter username for Test Site at example.com:
# If the correct password contains spaces, nothing will be accepted.

The problem is that the password in basic auth is URI quoted and then base64 
encoded. The password should not be quoted.

RFC 2617:
      userid      = *<TEXT excluding ":">
      password    = *TEXT
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>

I traced the problem with Pydev to urllib retry_https_basic_auth where I can 
see that
  user = "user"
  passwd = "my secret password"

After that, the path is like this:
self.retry_https_basic_auth:
  self.open(fullurl="https://user:my%20%secret%20passw...@example.com/";)
  self.open_https(url="://user:my%20%secret%20passw...@example.com/")
  => in open_https:
    host, selector = splithost(url)
    user_passwd, host = splituser(host)
    host = unquote(host)

user_passwd is not unquoted, host is.

I found closely related Issue2244 - but did not confirm where this bug has been 
introduced. I added some people from 2244 to this issue. I hope that is ok.

I think a test should be added that covers usernames and passwords with spaces 
to avoid further regressions. The reproduction code given works with Python 
2.4.3 urllib. This probably also affects python3, did not try.

----------
components: Library (Lib)
messages: 149915
nosy: carljm, joneskoo, orsenthil
priority: normal
severity: normal
status: open
title: urllib incorrectly quotes username and password in https basic auth
type: behavior
versions: Python 2.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue13642>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to