Issue 5286: urrlib2 digest authentication problems (original) (raw)

I introduced Python to my dad, and the first thing he did with it was to try to connect to a proprietary HTTP-based server, which uses Digest authentication. It looks like urllib2's Digest support isn't well tested. So, after not much more than a "Hello World", he ended up patching urrlib2 (and learning a lot more about Python than he would have)...

Anyways, here are the problems:

• Currently, AbstractBasicAuthHandler and AbstractDigestAuthHandler each a different method to find out whether they should kick in. This matters when the server supports both methods, and sends out two authentication headers. Basic uses a regexp that matches the last haeder, and Digest looks at the first one. So, if the server happens to support both, and sends the digest header after the basic one, each of the handlers assumes the other one should handle it and none does. The fix in the patch is crude, but it should work better than now.

• nonce_count should be reset when the server issues a new nonce (See RFC 2617, page 12, nonce-count). So, the nonce value should be stored and nonce_count should be reset if it doesn't match

• Added a max_attempts attribute and set it to 2 by default (instead of 5). Two may or may not work better in general, but it should probably be configurable. This particular change is not too critical, obviously.

• The HTTPError returned from the digest handler is not a file-like object, due to http_error_auth_reqed not taking a "fp" argument. The patch fixes that and the two calls to it.

Credit Libor Viktorin if some of the patch makes it.