Skip to content

Commit

Permalink
requests/auth: Handle an empty 'qop' attribute in a Authenticate chal…
Browse files Browse the repository at this point in the history 
…lenge

Some malfunctioning HTTP servers may return a qop directive with no token, as
opposed to correctly omitting the qop directive completely. For example:

header: WWW-Authenticate: Digest realm="foobar_api_auth", qop="",
        nonce="a12059eaaad0b86ece8f62f04cbafed6", algorithm="MD5",
        stale="false"

Prior to this patch, requests would respond with a 'None' Authorization header.
While the server is certainly incorrect, this patch updates requests to be
more tolerant to this kind of shenaniganry. If we receive an empty string for
the value of the qop attribute, we instead treat that as if the qop attribute
was simply not provided.

Closes psf#2916
  • Loading branch information
@matt-jordan
matt-jordan committed Dec 5, 2015
1 parent 40ce366 commit 5c19d3e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion requests/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ def sha_utf8(x):
if _algorithm == 'MD5-SESS':
HA1 = hash_utf8('%s:%s:%s' % (HA1, nonce, cnonce))

if qop is None:
if not qop:
respdig = KD(HA1, "%s:%s" % (nonce, HA2))
elif qop == 'auth' or 'auth' in qop.split(','):
noncebit = "%s:%s:%s:%s:%s" % (
Expand Down

0 comments on commit 5c19d3e

Please sign in to comment.