bpo-46756: Fix authorization check in urllib.request #31353
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo".
orsenthil
reviewed
Feb 15, 2022
| @@ -173,12 +172,29 @@ def test_password_manager(self): | |||
|
|
|||
| add("c", "http://example.com/foo", "foo", "ni") | |||
| add("c", "http://example.com/bar", "bar", "nini") | |||
| add("c", "http://example.com/foo/bar", "foobar", "nibar") | |||
There was a problem hiding this comment.
This line
add("c", "http://example.com/foo/bar", "foobar", "nibar")
along with this test a line 184 confuses me.
self.assertEqual(find_user_pass("c", "http://example.com/foo/bar"), ('foo', 'ni'))
- If we wanted to highlight that only
/foopath's password will be used. A comment above line 175 will be helpful. - The behavior is a bit confusing too. Cannot
/foo/barhave it's own username:password?
There was a problem hiding this comment.
This behavior seems intentional. See a comment at line 155: "For the same realm, password set the highest path is the winner." Tests at lines 158, 164 and 167 ensure this, but only for the root path. I added new tests for non-root path.
Should I repeat this comment above line 175?
There was a problem hiding this comment.
Oh I see. I missed seeing the context in the diff. I notice an example illustrating the behavior for the comment already present in line 149 and line 150.
So, I don't think we need another comment. Thank you.
serhiy-storchaka
reviewed
Feb 15, 2022
| self.assertEqual(find_user_pass("c", "http://example.com/baz"), | ||
| (None, None)) |
There was a problem hiding this comment.
I am not sure about this test. Should http://example.com/baz be considered a sub-URI of http://example.com/baz/ or not? In other words, should a trailing slash be ignored?
There was a problem hiding this comment.
I am not sure. I think, this test, which doesn't consider /baz to be sub-URI or /baz/ for HTTPPasswordMgr behavior seems safer.
If there is any reference to this in any rfc or any other software behavior that will be helpful as a validation.
|
Thanks @serhiy-storchaka for the PR |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this issue
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
GH-31570 is a backport of this pull request to the 3.10 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this issue
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
GH-31571 is a backport of this pull request to the 3.9 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this issue
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
GH-31572 is a backport of this pull request to the 3.8 branch. |
|
GH-31573 is a backport of this pull request to the 3.7 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this issue
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
miss-islington
added a commit
that referenced
this issue
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
miss-islington
added a commit
that referenced
this issue
Feb 25, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ned-deily
pushed a commit
that referenced
this issue
Feb 25, 2022
…1573) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
asvetlov
added a commit
that referenced
this issue
Feb 26, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo".
pablogsal
pushed a commit
that referenced
this issue
Mar 2, 2022
…1572) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gentoo-bot
pushed a commit
to gentoo/cpython
that referenced
this issue
Mar 18, 2022
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (rebased for 2.7 by Michał Górny)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
https://bugs.python.org/issue46756