|
 |
1d2a87 |
diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
|
|
|
1d2a87 |
index 876fcd4..fe9a32b 100644
|
|
|
1d2a87 |
--- a/Lib/test/test_urllib2.py
|
|
|
1d2a87 |
+++ b/Lib/test/test_urllib2.py
|
|
|
1d2a87 |
@@ -1445,40 +1445,64 @@ class HandlerTests(unittest.TestCase):
|
|
|
1d2a87 |
bypass = {'exclude_simple': True, 'exceptions': []}
|
|
|
1d2a87 |
self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
|
|
|
1d2a87 |
|
|
|
1d2a87 |
- def test_basic_auth(self, quote_char='"'):
|
|
|
1d2a87 |
- opener = OpenerDirector()
|
|
|
1d2a87 |
- password_manager = MockPasswordManager()
|
|
|
1d2a87 |
- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
|
|
|
1d2a87 |
- realm = "ACME Widget Store"
|
|
|
1d2a87 |
- http_handler = MockHTTPHandler(
|
|
|
1d2a87 |
- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
|
|
|
1d2a87 |
- (quote_char, realm, quote_char))
|
|
|
1d2a87 |
- opener.add_handler(auth_handler)
|
|
|
1d2a87 |
- opener.add_handler(http_handler)
|
|
|
1d2a87 |
- self._test_basic_auth(opener, auth_handler, "Authorization",
|
|
|
1d2a87 |
- realm, http_handler, password_manager,
|
|
|
1d2a87 |
- "http://acme.example.com/protected",
|
|
|
1d2a87 |
- "http://acme.example.com/protected",
|
|
|
1d2a87 |
- )
|
|
|
1d2a87 |
-
|
|
|
1d2a87 |
- def test_basic_auth_with_single_quoted_realm(self):
|
|
|
1d2a87 |
- self.test_basic_auth(quote_char="'")
|
|
|
1d2a87 |
-
|
|
|
1d2a87 |
- def test_basic_auth_with_unquoted_realm(self):
|
|
|
1d2a87 |
- opener = OpenerDirector()
|
|
|
1d2a87 |
- password_manager = MockPasswordManager()
|
|
|
1d2a87 |
- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
|
|
|
1d2a87 |
- realm = "ACME Widget Store"
|
|
|
1d2a87 |
- http_handler = MockHTTPHandler(
|
|
|
1d2a87 |
- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
|
|
|
1d2a87 |
- opener.add_handler(auth_handler)
|
|
|
1d2a87 |
- opener.add_handler(http_handler)
|
|
|
1d2a87 |
- with self.assertWarns(UserWarning):
|
|
|
1d2a87 |
+ def check_basic_auth(self, headers, realm):
|
|
|
1d2a87 |
+ with self.subTest(realm=realm, headers=headers):
|
|
|
1d2a87 |
+ opener = OpenerDirector()
|
|
|
1d2a87 |
+ password_manager = MockPasswordManager()
|
|
|
1d2a87 |
+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
|
|
|
1d2a87 |
+ body = '\r\n'.join(headers) + '\r\n\r\n'
|
|
|
1d2a87 |
+ http_handler = MockHTTPHandler(401, body)
|
|
|
1d2a87 |
+ opener.add_handler(auth_handler)
|
|
|
1d2a87 |
+ opener.add_handler(http_handler)
|
|
|
1d2a87 |
self._test_basic_auth(opener, auth_handler, "Authorization",
|
|
|
1d2a87 |
- realm, http_handler, password_manager,
|
|
|
1d2a87 |
- "http://acme.example.com/protected",
|
|
|
1d2a87 |
- "http://acme.example.com/protected",
|
|
|
1d2a87 |
- )
|
|
|
1d2a87 |
+ realm, http_handler, password_manager,
|
|
|
1d2a87 |
+ "http://acme.example.com/protected",
|
|
|
1d2a87 |
+ "http://acme.example.com/protected")
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ def test_basic_auth(self):
|
|
|
1d2a87 |
+ realm = "realm2@example.com"
|
|
|
1d2a87 |
+ realm2 = "realm2@example.com"
|
|
|
1d2a87 |
+ basic = f'Basic realm="{realm}"'
|
|
|
1d2a87 |
+ basic2 = f'Basic realm="{realm2}"'
|
|
|
1d2a87 |
+ other_no_realm = 'Otherscheme xxx'
|
|
|
1d2a87 |
+ digest = (f'Digest realm="{realm2}", '
|
|
|
1d2a87 |
+ f'qop="auth, auth-int", '
|
|
|
1d2a87 |
+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
|
|
|
1d2a87 |
+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
|
|
|
1d2a87 |
+ for realm_str in (
|
|
|
1d2a87 |
+ # test "quote" and 'quote'
|
|
|
1d2a87 |
+ f'Basic realm="{realm}"',
|
|
|
1d2a87 |
+ f"Basic realm='{realm}'",
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ # charset is ignored
|
|
|
1d2a87 |
+ f'Basic realm="{realm}", charset="UTF-8"',
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ # Multiple challenges per header
|
|
|
1d2a87 |
+ f'{basic}, {basic2}',
|
|
|
1d2a87 |
+ f'{basic}, {other_no_realm}',
|
|
|
1d2a87 |
+ f'{other_no_realm}, {basic}',
|
|
|
1d2a87 |
+ f'{basic}, {digest}',
|
|
|
1d2a87 |
+ f'{digest}, {basic}',
|
|
|
1d2a87 |
+ ):
|
|
|
1d2a87 |
+ headers = [f'WWW-Authenticate: {realm_str}']
|
|
|
1d2a87 |
+ self.check_basic_auth(headers, realm)
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ # no quote: expect a warning
|
|
|
1d2a87 |
+ with support.check_warnings(("Basic Auth Realm was unquoted",
|
|
|
1d2a87 |
+ UserWarning)):
|
|
|
1d2a87 |
+ headers = [f'WWW-Authenticate: Basic realm={realm}']
|
|
|
1d2a87 |
+ self.check_basic_auth(headers, realm)
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ # Multiple headers: one challenge per header.
|
|
|
1d2a87 |
+ # Use the first Basic realm.
|
|
|
1d2a87 |
+ for challenges in (
|
|
|
1d2a87 |
+ [basic, basic2],
|
|
|
1d2a87 |
+ [basic, digest],
|
|
|
1d2a87 |
+ [digest, basic],
|
|
|
1d2a87 |
+ ):
|
|
|
1d2a87 |
+ headers = [f'WWW-Authenticate: {challenge}'
|
|
|
1d2a87 |
+ for challenge in challenges]
|
|
|
1d2a87 |
+ self.check_basic_auth(headers, realm)
|
|
|
1d2a87 |
|
|
|
1d2a87 |
def test_proxy_basic_auth(self):
|
|
|
1d2a87 |
opener = OpenerDirector()
|
|
|
1d2a87 |
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
|
|
|
1d2a87 |
index c9945d9..6624e04 100644
|
|
|
1d2a87 |
--- a/Lib/urllib/request.py
|
|
|
1d2a87 |
+++ b/Lib/urllib/request.py
|
|
|
1d2a87 |
@@ -945,8 +945,15 @@ class AbstractBasicAuthHandler:
|
|
|
1d2a87 |
|
|
|
1d2a87 |
# allow for double- and single-quoted realm values
|
|
|
1d2a87 |
# (single quotes are a violation of the RFC, but appear in the wild)
|
|
|
1d2a87 |
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
|
|
|
1d2a87 |
- 'realm=(["\']?)([^"\']*)\\2', re.I)
|
|
|
1d2a87 |
+ rx = re.compile('(?:^|,)' # start of the string or ','
|
|
|
1d2a87 |
+ '[ \t]*' # optional whitespaces
|
|
|
1d2a87 |
+ '([^ \t]+)' # scheme like "Basic"
|
|
|
1d2a87 |
+ '[ \t]+' # mandatory whitespaces
|
|
|
1d2a87 |
+ # realm=xxx
|
|
|
1d2a87 |
+ # realm='xxx'
|
|
|
1d2a87 |
+ # realm="xxx"
|
|
|
1d2a87 |
+ 'realm=(["\']?)([^"\']*)\\2',
|
|
|
1d2a87 |
+ re.I)
|
|
|
1d2a87 |
|
|
|
1d2a87 |
# XXX could pre-emptively send auth info already accepted (RFC 2617,
|
|
|
1d2a87 |
# end of section 2, and section 1.2 immediately after "credentials"
|
|
|
1d2a87 |
@@ -958,27 +965,51 @@ class AbstractBasicAuthHandler:
|
|
|
1d2a87 |
self.passwd = password_mgr
|
|
|
1d2a87 |
self.add_password = self.passwd.add_password
|
|
|
1d2a87 |
|
|
|
1d2a87 |
+ def _parse_realm(self, header):
|
|
|
1d2a87 |
+ # parse WWW-Authenticate header: accept multiple challenges per header
|
|
|
1d2a87 |
+ found_challenge = False
|
|
|
1d2a87 |
+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
|
|
|
1d2a87 |
+ scheme, quote, realm = mo.groups()
|
|
|
1d2a87 |
+ if quote not in ['"', "'"]:
|
|
|
1d2a87 |
+ warnings.warn("Basic Auth Realm was unquoted",
|
|
|
1d2a87 |
+ UserWarning, 3)
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ yield (scheme, realm)
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ found_challenge = True
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ if not found_challenge:
|
|
|
1d2a87 |
+ if header:
|
|
|
1d2a87 |
+ scheme = header.split()[0]
|
|
|
1d2a87 |
+ else:
|
|
|
1d2a87 |
+ scheme = ''
|
|
|
1d2a87 |
+ yield (scheme, None)
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
def http_error_auth_reqed(self, authreq, host, req, headers):
|
|
|
1d2a87 |
# host may be an authority (without userinfo) or a URL with an
|
|
|
1d2a87 |
# authority
|
|
|
1d2a87 |
- # XXX could be multiple headers
|
|
|
1d2a87 |
- authreq = headers.get(authreq, None)
|
|
|
1d2a87 |
+ headers = headers.get_all(authreq)
|
|
|
1d2a87 |
+ if not headers:
|
|
|
1d2a87 |
+ # no header found
|
|
|
1d2a87 |
+ return
|
|
|
1d2a87 |
|
|
|
1d2a87 |
- if authreq:
|
|
|
1d2a87 |
- scheme = authreq.split()[0]
|
|
|
1d2a87 |
- if scheme.lower() != 'basic':
|
|
|
1d2a87 |
- raise ValueError("AbstractBasicAuthHandler does not"
|
|
|
1d2a87 |
- " support the following scheme: '%s'" %
|
|
|
1d2a87 |
- scheme)
|
|
|
1d2a87 |
- else:
|
|
|
1d2a87 |
- mo = AbstractBasicAuthHandler.rx.search(authreq)
|
|
|
1d2a87 |
- if mo:
|
|
|
1d2a87 |
- scheme, quote, realm = mo.groups()
|
|
|
1d2a87 |
- if quote not in ['"',"'"]:
|
|
|
1d2a87 |
- warnings.warn("Basic Auth Realm was unquoted",
|
|
|
1d2a87 |
- UserWarning, 2)
|
|
|
1d2a87 |
- if scheme.lower() == 'basic':
|
|
|
1d2a87 |
- return self.retry_http_basic_auth(host, req, realm)
|
|
|
1d2a87 |
+ unsupported = None
|
|
|
1d2a87 |
+ for header in headers:
|
|
|
1d2a87 |
+ for scheme, realm in self._parse_realm(header):
|
|
|
1d2a87 |
+ if scheme.lower() != 'basic':
|
|
|
1d2a87 |
+ unsupported = scheme
|
|
|
1d2a87 |
+ continue
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ if realm is not None:
|
|
|
1d2a87 |
+ # Use the first matching Basic challenge.
|
|
|
1d2a87 |
+ # Ignore following challenges even if they use the Basic
|
|
|
1d2a87 |
+ # scheme.
|
|
|
1d2a87 |
+ return self.retry_http_basic_auth(host, req, realm)
|
|
|
1d2a87 |
+
|
|
|
1d2a87 |
+ if unsupported is not None:
|
|
|
1d2a87 |
+ raise ValueError("AbstractBasicAuthHandler does not "
|
|
|
1d2a87 |
+ "support the following scheme: %r"
|
|
|
1d2a87 |
+ % (scheme,))
|
|
|
1d2a87 |
|
|
|
1d2a87 |
def retry_http_basic_auth(self, host, req, realm):
|
|
|
1d2a87 |
user, pw = self.passwd.find_user_password(realm, host)
|