New submission from Andrew Nelis <andrew.ne...@gmail.com>: When using Digest authentication to authenticate with a web server, according to rfc2617 (section 3.2.2.5) the uri in the Authorization header MUST match the request URI.
urllib2.AbstractDigestAuthHandler doesn't honour this when we request a url of the form 'http://hostname' without the trailing slash and we end up with request headers of the form: GET / 1.1 ... Authorization: Digest ... uri="" <- should be uri="/"! A web server will return 400 Bad Request error. I attach a patch to fix urllib2.AbstractDigestAuthHandler.get_authorization that simply checks for the empty uri and uses '/' instead. It's the same thing that httplib.HTTPConnection does when it builds the GET line. However I do wonder if this uri normalisation should be part of Request.get_selector? Following is a script to demonstrate the behaviour, if you call it as: ./do_digest_request.py http://myserver username password (and assuming myserver is using Digest authentication) there will a 400 response instead of it working. --- do_digest_request.py #!/usr/bin/env python import sys import urllib2 import urlparse def request( url, username, password ): p = urlparse.urlparse( url ) password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm() password_manager.add_password( None, p.hostname, username, password ) handlers = [ urllib2.HTTPDigestAuthHandler( password_manager ), ] opener = urllib2.build_opener( *handlers ) request = urllib2.Request( url ) response = opener.open( request ) response.read() if __name__ == '__main__': request( sys.argv[1], sys.argv[2], sys.argv[3] ) ---------- components: Library (Lib) files: urllib2.diff keywords: patch messages: 106649 nosy: anelis priority: normal severity: normal status: open title: urllib2 Digest Authorization uri must match request URI type: behavior versions: Python 2.7 Added file: http://bugs.python.org/file17480/urllib2.diff _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue8843> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com