Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-6185

400 error using Digest Auth from python through proxy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2013-04-08
    • Web service
    • None
    • Python

      Digest auth doesn't work using python (urllib) when behind a proxy.
      A 400 Bad Request is returned without a body from musicbrainz.org.

      An example script can be found at:
      https://gist.github.com/JonnyJD/5429281 (password_test.py) using python-musicbrainzngs.
      This cannot be reproduced using plain curl, since python's urllib does it differently.

      When using the without a proxy it either works or gives a 401 when the password is incorrect.
      With a proxy in between a 400 error is always returned, whether the password is correct or not.

      The problem is probably: http://bugs.python.org/issue4140
      urllib uses an absolute URI in the digest header when talking to a proxy (squid in my case) and musicbrainz.org receives these absolute URIs and rejects them.
      When using urllib without a proxy (and curl with or without a proxy) the uri in the digest header is always a server path (without server name and protocol).
      The resolution on the ticket is invalid, since using the absoluteURI is required in the spec.

      behind proxy (using python 2.7):

      POST http://test.musicbrainz.org/ws/2/recording?client=password_test.py-0.1 HTTP/1.1^M
Accept-Encoding: identity^M
Content-Length: 98^M
Host: test.musicbrainz.org^M
User-Agent: password_test.py/0.1 python-musicbrainz-ngs/0.4dev ( http://github.com/JonnyJD/musicbrainz-isrcsubmit )^M
Connection: close^M
Content-Type: application/xml; charset=UTF-8^M
Authorization: Digest username="JonnyJD", realm="musicbrainz.org", nonce="nmpfGj6r4hGDzFnNYz14Mw==",
uri="http://test.musicbrainz.org/ws/2/recording?client=password_test.py-0.1", 
response="3285e2d7be509adc73c04940816de4c8", opaque="bqhgGj6r4hGDzFnNYz14Mw==", algorithm="MD5", qop=auth, 
nc=00000001, cnonce="11fabbbda2085143"^

      without proxy:

      POST /ws/2/recording?client=password_test.py-0.1 HTTP/1.1
Accept-Encoding: identity
Content-Length: 98
Host: test.musicbrainz.org
User-Agent: password_test.py/0.1 python-musicbrainz-ngs/0.4dev ( http://github.com/JonnyJD/musicbrainz-isrcsubmit )
Connection: close
Content-Type: application/xml; charset=UTF-8
Authorization: Digest username="JonnyJD", realm="musicbrainz.org", nonce="KkHsFECr4hGAJVnNYz14Mw==", 
uri="/ws/2/recording?client=password_test.py-0.1", response="b51454070016894d8790c85aac98fd2a", 
opaque="+lfsFECr4hGAJVnNYz14Mw==", algorithm="MD5", qop=auth, nc=00000001, cnonce="dbae7bdd04e155bf"

      The difference is:
      uri="h ttp://test.musicbrainz.org/ws/2/recording?client=password_test.py-0.1"

        1. 0001-84789-allow-absoluteURI-in-digest-uri-header.patch
          1 kB

            Unassigned Unassigned
            jonnyjd Johannes Dewender
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                Version Package