Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-128192: support sha-256 digest authentication #128193

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Lib/urllib/request.py
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks fine, but you should add a test.

from RFC-7616

   This specification defines the following algorithms:

   o  SHA2-256 (mandatory to implement)

   o  SHA2-512/256 (as a backup algorithm)

   o  MD5 (for backward compatibility).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont know, I assume i would just be re-writing a test that probably exists in hashlib?

i've only found a single test written for this function that checks for an invalid algorithm.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hashlib does not need to be tested. What needs to be tested is that MD5, SHA and SHA-256 are recognized algorithms if you specify them as is in the request headers. This is an opportunity to add tests for this as well.

Original file line number Diff line number Diff line change
Expand Up @@ -1182,6 +1182,8 @@ def get_algorithm_impls(self, algorithm):
elif algorithm == 'SHA':
H = lambda x: hashlib.sha1(x.encode("ascii")).hexdigest()
# XXX MD5-sess
elif algorithm == 'SHA-256':
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move the XXX MD5-sess before the else and not before the elif? thanks. In addition, mention that the algorithm names are taken from https://datatracker.ietf.org/doc/html/rfc7616#section-6.1.

H = lambda x: hashlib.sha256(x.encode("ascii")).hexdigest()
else:
raise ValueError("Unsupported digest authentication "
"algorithm %r" % algorithm)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Support digest authentication algorithm SHA-256 in :mod:`urllib.request`.
Copy link
Contributor

@picnixz picnixz Dec 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Support digest authentication algorithm SHA-256 in :mod:`urllib.request`.
Upgrade HTTP digest authentication algorithm for :mod:`urllib.request` by
supporting SHA-256 digest authentication as specified in :rfc:`7616`.

This also requires a What's New entry. However, we do not have any documentation concerning HTTP digest access authentication (we only have https://docs.python.org/3/library/urllib.request.html#abstractdigestauthhandler-objects but never do we mention which digests we are supporting). Nonetheless, maybe we can update the wording of that documented entry.

Loading