bpo-46756: Fix authorization check in urllib.request#31353
Merged
serhiy-storchaka merged 1 commit intopython:mainfrom Feb 25, 2022
Merged
bpo-46756: Fix authorization check in urllib.request#31353serhiy-storchaka merged 1 commit intopython:mainfrom
serhiy-storchaka merged 1 commit intopython:mainfrom
Conversation
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo".
serhiy-storchaka
added
type-bug
orsenthil
reviewed
Feb 15, 2022
|
|
||
| add("c", "http://example.com/foo", "foo", "ni") | ||
| add("c", "http://example.com/bar", "bar", "nini") | ||
| add("c", "http://example.com/foo/bar", "foobar", "nibar") |
Member
There was a problem hiding this comment.
This line
add("c", "http://example.com/foo/bar", "foobar", "nibar")
along with this test a line 184 confuses me.
self.assertEqual(find_user_pass("c", "http://example.com/foo/bar"), ('foo', 'ni'))
- If we wanted to highlight that only
/foopath's password will be used. A comment above line 175 will be helpful. - The behavior is a bit confusing too. Cannot
/foo/barhave it's own username:password?
Member
Author
There was a problem hiding this comment.
This behavior seems intentional. See a comment at line 155: "For the same realm, password set the highest path is the winner." Tests at lines 158, 164 and 167 ensure this, but only for the root path. I added new tests for non-root path.
Should I repeat this comment above line 175?
Member
There was a problem hiding this comment.
Oh I see. I missed seeing the context in the diff. I notice an example illustrating the behavior for the comment already present in line 149 and line 150.
So, I don't think we need another comment. Thank you.
Comment on lines
+192
to
+193
| self.assertEqual(find_user_pass("c", "http://example.com/baz"), | ||
| (None, None)) |
Member
Author
There was a problem hiding this comment.
I am not sure about this test. Should http://example.com/baz be considered a sub-URI of http://example.com/baz/ or not? In other words, should a trailing slash be ignored?
Member
There was a problem hiding this comment.
I am not sure. I think, this test, which doesn't consider /baz to be sub-URI or /baz/ for HTTPPasswordMgr behavior seems safer.
If there is any reference to this in any rfc or any other software behavior that will be helpful as a validation.
Contributor
|
Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
|
GH-31570 is a backport of this pull request to the 3.10 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
|
GH-31571 is a backport of this pull request to the 3.9 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
|
GH-31572 is a backport of this pull request to the 3.8 branch. |
|
GH-31573 is a backport of this pull request to the 3.7 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
miss-islington
added a commit
that referenced
this pull request
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
miss-islington
added a commit
that referenced
this pull request
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
ned-deily
pushed a commit
that referenced
this pull request
Feb 25, 2022
…1573) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
asvetlov
pushed a commit
that referenced
this pull request
Feb 26, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo".
pablogsal
pushed a commit
that referenced
this pull request
Mar 2, 2022
…1572) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
gentoo-bot
pushed a commit
to gentoo/cpython
that referenced
this pull request
Mar 18, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (rebased for 2.7 by Michał Górny)
hello-adam
pushed a commit
to hello-adam/cpython
that referenced
this pull request
Jun 2, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
https://bugs.python.org/issue46756