[Python-bugs-list] [ python-Bugs-468948 ] urllib2, basic authentication, & 302 (original) (raw)

noreply@sourceforge.net noreply@sourceforge.net
Tue, 09 Oct 2001 19:11:58 -0700

Bugs item #468948, was opened at 2001-10-07 21:19 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=105470&aid=468948&group_id=5470

Category: Python Library Group: None Status: Open Resolution: None Priority: 5 Submitted By: Jeffrey C. Ollie (jcollie)

Assigned to: Jeremy Hylton (jhylton) Summary: urllib2, basic authentication, & 302

Initial Comment: I've found a bug in how urllib2 handles authentication. The crux of the problem is that the AbstractBasicAuthHandler.__current_realm is basically a global variable. I discovered the bug because I needed to use HTTP basic authentication and the HTTP If-Modified-Since header. Since the HTTP server returns a 302 error if the requested URL has not changed the line of code that resets AbstractBasicAuthHandler.__current_realm back to None never gets executed because an exception will be raised when the retrieval is retried. I suspect that this bug would also cause problems in multi-threaded code. The digest authentication appears to have similar problems.

The solution that I found is to get rid of the __current_realm attribute and prevent infinite retries by checking for the presence of an Authenticate: header in the request object that exactly matches the Authenticate: header that would be added.

The bug exists in 2.1.1, 2.2a4 and the current CVS.

Patch attached.

Comment By: Jeffrey C. Ollie (jcollie) Date: 2001-10-09 10:21

Message: Logged In: YES user_id=37310

Oops, that patch that I attached is reversed, use -R!

You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=105470&aid=468948&group_id=5470