| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest authentication
- The 'qop' value in the 'WWW-Authenticate' header is optional. The
presence of 'qop' in the header should be checked before its value
is parsed with 'split'.
Signed-off-by: Stephen Balousek <stephen@balousek.net>
* bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest authentication
- Add NEWS item
Signed-off-by: Stephen Balousek <stephen@balousek.net>
* Update Misc/NEWS.d/next/Library/2020-02-06-05-33-52.bpo-39548.DF4FFe.rst
Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
Co-authored-by: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit 5e260e0fde211829fcb67060cfd602f4b679f802)
Co-authored-by: Stephen Balousek <sbalousek@users.noreply.github.com>
|
| |
|
|
|
|
| |
Ignore leading dots and no longer ignore a trailing newline.
(cherry picked from commit 6a265f0d0c0a4b3b8fecf4275d49187a384167f4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix HTTP Digest handling in request.py
There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
> qop-options = "qop" "=" <"> 1GH-qop-value <">
> qop-value = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server. The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection
This is description confirmed by the definition of the [//n//]`GH-`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.
When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.
* 📜🤖 Added by blurb_it.
* bpo-38686 review fix: remember why.
* fix trailing space in Lib/urllib/request.py
Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit 14a89c47983f2fb9e7fdf33c769e622eefd3a14a)
Co-authored-by: PypeBros <PypeBros@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
(GH-13505)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
|
| |
|
|
|
| |
(cherry picked from commit 158695817d736df8b18682866033c87e46252309)
Co-authored-by: Boštjan Mejak <bostjan.xperia@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-2624)
(cherry picked from commit 3f2e6f15d64d81633b1fc0b308afc0d6e9026b61)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
* Replaced list(<generator expression>) with list comprehension
* Replaced dict(<generator expression>) with dict comprehension
* Replaced set(<list literal>) with set literal
* Replaced builtin func(<list comprehension>) with func(<generator
expression>) when supported (e.g. any(), all(), tuple(), min(), &
max())
|
| | |
|
| | |
|
| |\ |
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
In urllib.request, suffixes in no_proxy environment variable with
leading dots could match related hostnames again (e.g. .b.c matches a.b.c).
Patch by Milan Oberkirch.
|
| | | | |
|
| |/ / |
|
| | |
| |
| |
| |
| |
| |
| | |
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.
ssl.wrap_socket() is not marked as deprecated yet.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the body object is a file, its size is no longer determined with
fstat(), since that can report the wrong result (e.g. reading from a pipe).
Instead, determine the size using seek(), or fall back to chunked encoding
for unseekable files.
Also, change the logic for detecting text files to check for TextIOBase
inheritance, rather than inspecting the “mode” attribute, which may not
exist (e.g. BytesIO and StringIO). The Content-Length for text files is no
longer determined ahead of time, because the original logic could have been
wrong depending on the codec and newline translation settings.
Patch by Demian Brecht and Rolf Krahl, with a few tweaks by me.
|
| |\ \
| |/
| |
| |
| |
| |
| | |
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | | |
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
| | | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Clarifies what is returned when and that the methods are common between the two.
Patch by Alexander Liu as part of #22797.
|
| |\ \ \ \
| |/ / / |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Some servers send Location header fields with non-ASCII bytes, but "http.
client" requires the request target to be ASCII-encodable, otherwise a
UnicodeEncodeError is raised. Based on patch by Christian Heimes.
Python 2 does not suffer any problem because it allows non-ASCII bytes in the
HTTP request target.
|
| | | | | |
|
| |\ \ \ \
| |/ / /
| | | |
| | | |
| | | |
| | | | |
Issue #26892: Honor debuglevel flag in urllib.request.HTTPHandler.
Patch contributed by Chi Hsuan Yen.
|
| | | | |
| | | |
| | | |
| | | | |
Patch contributed by Chi Hsuan Yen.
|
| |\ \ \ \
| |/ / / |
|
| | | | |
| | | |
| | | |
| | | | |
Patch by Xiang Zhang.
|
| |\ \ \ \
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
Issue #26804: urllib.request will prefer lower_case proxy environment variables
over UPPER_CASE or Mixed_Case ones.
Patch contributed by Hans-Peter Jansen. Reviewed by Martin Panter and Senthil Kumaran.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
over UPPER_CASE or Mixed_Case ones.
Patch contributed by Hans-Peter Jansen. Reviewed by Martin Panter and Senthil Kumaran.
|
| |\ \ \ \
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
AbstractDigestAuthHandler.get_algorithm_impls
Raise ValueError if algorithm is not MD5 or SHA.
Initial patch by Mathieu Dupuy.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
AbstractDigestAuthHandler.get_algorithm_impls
Raise ValueError if algorithm is not MD5 or SHA.
Initial patch by Mathieu Dupuy.
|
| | | | |
| | | |
| | | |
| | | | |
to format short Python version.
|
| |\ \ \ \
| |/ / / |
|
| | | | |
| | | |
| | | |
| | | | |
Based on patches by Brian Brazil and Daniel Rocco.
|
| |\ \ \ \
| |/ / /
| | | |
| | | |
| | | | |
to ASCII replacements. Removed UTF-8 BOM from Misc/NEWS.
Original patch by Chris Angelico.
|
| | | | | |
|
| |/ / / |
|
| |\ \ \
| |/ /
| | |
| | | |
Patch from Daniel Andrade Groppe and Peter Lovett
|
| | | |
| | |
| | |
| | | |
Patch from Daniel Andrade Groppe and Peter Lovett
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This fix is a superset of the functionality introduced by the issue #19494
enhancement, and supersedes that fix. Instead of a new handler, we have a new
password manager that tracks whether we should send the auth for a given uri.
This allows us to say "always send", satisfying #19494, or track that we've
succeeded in auth and send the creds right away on every *subsequent* request.
The support for using the password manager is added to AbstractBasicAuth,
which means the proxy handler also now can handle prior auth if passed
the new password manager.
Patch by Akshit Khurana, docs mostly by me.
|
| |\ \ \
| |/ /
| | |
| | | |
socket if the FTP connection failed to fix a ResourceWarning.
|
| | | |
| | |
| | |
| | | |
the FTP connection failed to fix a ResourceWarning.
|
| |\ \ \
| |/ / |
|
