[Bug 1343888] [NEW] _get_changelog_or_news does not handle Basic auth properly

Dominik George 1343888 at bugs.launchpad.net
Fri Jul 18 08:18:24 UTC 2014 

Public bug reported:

_get_changelog_or_news when fetching chengelogs from third-party URLS
that contain username:password does not handle that information
correctly.

urllib2 expects to get the authorization information in a an Opener
object isntead of in the URL. Passing it in the URL leads to it being
passed wrongly, which also is a bug in urllib2.

Here is how to do it the right way (but untested as I do not have
Ubuntu):

--- MyCache.py.old      2014-06-06 16:37:58.000000000 +0200
+++ MyCache.py  2014-07-18 10:13:10.327293133 +0200
@@ -213,6 +213,17 @@ class MyCache(DistUpgrade.DistUpgradeCac
                 "https locations with username/password are not"
                 "supported to fetch changelogs")
 
+        #You cannot just throw username:password at urllib2
+        if res.username != '':
+            parts = list(res)
+            parts[1] = parts[1].split('@')[1]
+            auth_handler = urllib2.HTTPBasicAuthHandler()
+            auth_handler.add_password(uri=urlparse.urlunsplit(tuple(parts)),
+                          user=res.username,
+                          passwd=res.password)
+            opener = urllib2.build_opener(auth_handler)
+            urllib2.install_opener(opener)
+
         # print "Trying: %s " % uri
         changelog = urllib2.urlopen(uri)
         #print changelog.read()

** Affects: update-manager (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1343888

Title:
  _get_changelog_or_news does not handle Basic auth properly

Status in “update-manager” package in Ubuntu:
  New

Bug description:
  _get_changelog_or_news when fetching chengelogs from third-party URLS
  that contain username:password does not handle that information
  correctly.

  urllib2 expects to get the authorization information in a an Opener
  object isntead of in the URL. Passing it in the URL leads to it being
  passed wrongly, which also is a bug in urllib2.

  Here is how to do it the right way (but untested as I do not have
  Ubuntu):

  --- MyCache.py.old      2014-06-06 16:37:58.000000000 +0200
  +++ MyCache.py  2014-07-18 10:13:10.327293133 +0200
  @@ -213,6 +213,17 @@ class MyCache(DistUpgrade.DistUpgradeCac
                   "https locations with username/password are not"
                   "supported to fetch changelogs")
   
  +        #You cannot just throw username:password at urllib2
  +        if res.username != '':
  +            parts = list(res)
  +            parts[1] = parts[1].split('@')[1]
  +            auth_handler = urllib2.HTTPBasicAuthHandler()
  +            auth_handler.add_password(uri=urlparse.urlunsplit(tuple(parts)),
  +                          user=res.username,
  +                          passwd=res.password)
  +            opener = urllib2.build_opener(auth_handler)
  +            urllib2.install_opener(opener)
  +
           # print "Trying: %s " % uri
           changelog = urllib2.urlopen(uri)
           #print changelog.read()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1343888/+subscriptions

More information about the foundations-bugs mailing list