Issue #1812 resolved

bitbucket doesn't properly send HTTP 401 responses header on private repository requests (BB-805)

Jacob Kaplan-Moss
created an issue

When trying to access files in private repositories, Bitbucket fails to send a HTTP 401 with a WWW-Authenticate header:

{{{ $ curl -I http://bitbucket.org/<privaterepo>/raw/tip/<path>; HTTP/1.1 403 FORBIDDEN Date: Wed, 31 Mar 2010 18:33:12 GMT Server: nginx/0.7.62 Content-Type: text/html; charset=utf-8 Vary: Cookie,Accept-Encoding }}}

(I've left the actual repo and path out since they're private; contact me privately and I'd be happy to share the real details.)

This isn't just wrong from an HTTP standpoint; well-formed HTTP clients -- and Python's urllib2, in particular -- won't send authentication information unless challenged with an HTTP 401:

{{{

import urllib2 passman = urllib2.HTTPPasswordMgrWithDefaultRealm() passman.add_password(None, 'http://bitbucket.org/', 'jacobian', '<password>') authhandler = urllib2.HTTPBasicAuthHandler(passman) opener = urllib2.build_opener(authhandler) f = opener.open('http://bitbucket.org/<repo>/raw/tip/<path>;') ... HTTPError: HTTP Error 403: FORBIDDEN }}}

This also fails if you use a basic {{{HTTPPasswordMgr}}} and specify the realm manually.

I discovered this when trying to use Review Board (1.5 beta 2) with a private Bitbucket repository. Review Board uses urllib2 in a manner nearly exactly like the above (see http://github.com/reviewboard/reviewboard/blob/master/reviewboard/scmtools/hg.py#L105).

I'm going to file this same bug against Review Board in a moment, and it probably won't be too hard to hack around Bitbucket's behavior and make Review Board work. But it is indeed a Bitbucket bug: Bitbucket should be sending a HTTP 401 response.

Comments (3)

  1. Jacob Kaplan-Moss reporter

    An update: it appears something even more basic is going on than the misuse of HTTP status codes: accessing the file directly with curl fails, as well:

    $ curl -i -ujacobian:<pass> https://bitbucket.org/<repo>/raw/tip/<path>
    HTTP/1.1 403 FORBIDDEN
    Date: Wed, 31 Mar 2010 19:13:08 GMT
    Server: nginx/0.7.62
    Content-Type: text/html; charset=utf-8
    Vary: Cookie,Accept-Encoding
    Content-Length: 0
    
  2. Log in to comment