Skip to content

escape backslashes in digest auth quoted-string values#13054

Draft
dxbjavid wants to merge 2 commits into
aio-libs:masterfrom
dxbjavid:digest-auth-escape-backslash
Draft

escape backslashes in digest auth quoted-string values#13054
dxbjavid wants to merge 2 commits into
aio-libs:masterfrom
dxbjavid:digest-auth-escape-backslash

Conversation

@dxbjavid

@dxbjavid dxbjavid commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

What do these changes do?

escape_quotes in the digest auth middleware only escaped double quotes and left backslashes untouched, so a value taken from a server's WWW-Authenticate challenge (realm, nonce or opaque) that ends in or contains a backslash produces a malformed quoted-string in the Authorization header the client sends back. A realm of foo\ is emitted as realm="foo\", where the intended closing quote now reads as an escaped quote, so a compliant quoted-string parser treats the realm as running on into the following nonce/uri/response directives. A malicious or compromised server can use this to corrupt or smuggle fields in the credentials header the client generates.

The rest of the codebase already escapes both characters when building HTTP quoted-strings (see helpers.content_disposition_header and the multipart writer), so this just brings escape_quotes in line with that, escaping the backslash before the quote, and makes unescape_quotes the exact inverse so the round-trip used when parsing challenges is preserved.

Are there changes in behavior for the user?

Only for values that contain a backslash, which were previously encoded incorrectly. Values without a backslash are unchanged.

Is it a substantial burden for the maintainers to support this?

No, it is a two-line change to a pair of helpers.

Related issue number

N/A

Checklist

  • I think the code is well written
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • Add a new news fragment into the CHANGES/ folder

@psf-chronographer psf-chronographer Bot added the bot:chronographer:provided There is a change note present in this PR label Jul 5, 2026
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.96%. Comparing base (e3774b4) to head (6b4547a).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##           master   #13054   +/-   ##
=======================================
  Coverage   98.96%   98.96%           
=======================================
  Files         131      131           
  Lines       48156    48166   +10     
  Branches     2499     2499           
=======================================
+ Hits        47656    47666   +10     
  Misses        376      376           
  Partials      124      124           
Flag Coverage Δ
Autobahn 22.21% <8.33%> (-0.01%) ⬇️
CI-GHA 98.90% <100.00%> (-0.01%) ⬇️
OS-Linux 98.66% <100.00%> (-0.01%) ⬇️
OS-Windows 97.04% <100.00%> (-0.01%) ⬇️
OS-macOS 97.95% <100.00%> (-0.01%) ⬇️
Py-3.10 98.14% <100.00%> (-0.01%) ⬇️
Py-3.11 98.41% <100.00%> (-0.01%) ⬇️
Py-3.12 98.50% <100.00%> (+<0.01%) ⬆️
Py-3.13 98.47% <100.00%> (-0.01%) ⬇️
Py-3.14 98.49% <100.00%> (+<0.01%) ⬆️
Py-3.14t 97.59% <100.00%> (+<0.01%) ⬆️
Py-pypy-3.11 97.44% <100.00%> (-0.01%) ⬇️
VM-macos 97.95% <100.00%> (-0.01%) ⬇️
VM-ubuntu 98.66% <100.00%> (-0.01%) ⬇️
VM-windows 97.04% <100.00%> (-0.01%) ⬇️
cython-coverage 38.10% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@codspeed-hq

codspeed-hq Bot commented Jul 5, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 83 untouched benchmarks
⏩ 83 skipped benchmarks1


Comparing dxbjavid:digest-auth-escape-backslash (6b4547a) with master (e3774b4)

Open in CodSpeed

Footnotes

  1. 83 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bot:chronographer:provided There is a change note present in this PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant