Bug description:
urllib.request.AbstractDigestAuthHandler.retry_http_digest_auth parses a
server-controlled WWW-Authenticate: Digest ... challenge without guarding the
parse, so a malformed challenge raises a bare ValueError or IndexError out
of urlopen() instead of being declined:
import urllib.request
h = urllib.request.HTTPDigestAuthHandler(None)
req = urllib.request.Request("http://example.invalid/")
h.retry_http_digest_auth(req, "Digest realm") # ValueError
h.retry_http_digest_auth(req, "Digest realm=") # IndexError
h.retry_http_digest_auth(req, "Digest") # ValueError
Digest realm / Digest realm= fail in parse_keqv_list; Digest fails in
auth.split(' ', 1). The handler should decline a challenge it cannot
parse (return None), as it already does for a 40x it cannot handle.
CPython versions tested on:
3.12, 3.13, 3.14, 3.15
Operating systems tested on:
macOS
Linked PRs
Bug description:
urllib.request.AbstractDigestAuthHandler.retry_http_digest_authparses aserver-controlled
WWW-Authenticate: Digest ...challenge without guarding theparse, so a malformed challenge raises a bare
ValueErrororIndexErroroutof
urlopen()instead of being declined:Digest realm/Digest realm=fail inparse_keqv_list;Digestfails inauth.split(' ', 1). The handler should decline a challenge it cannotparse (return
None), as it already does for a 40x it cannot handle.CPython versions tested on:
3.12, 3.13, 3.14, 3.15
Operating systems tested on:
macOS
Linked PRs