Details
-
Bug
-
Resolution: Fixed
-
Medium
Description
When trying to access files in private repositories, Bitbucket fails to send a HTTP 401 with a WWW-Authenticate header:
{{{
$ curl -I http://bitbucket.org/<privaterepo>/raw/tip/<path>
HTTP/1.1 403 FORBIDDEN
Date: Wed, 31 Mar 2010 18:33:12 GMT
Server: nginx/0.7.62
Content-Type: text/html; charset=utf-8
Vary: Cookie,Accept-Encoding
}}}
(I've left the actual repo and path out since they're private; contact me privately and I'd be happy to share the real details.)
This isn't just wrong from an HTTP standpoint; well-formed HTTP clients – and Python's urllib2, in particular – won't send authentication information unless challenged with an HTTP 401:
{{{
bq. bq. import urllib2
passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, 'http://bitbucket.org/', 'jacobian', '<password>'
authhandler = urllib2.HTTPBasicAuthHandler(passman)
opener = urllib2.build_opener(authhandler)
f = opener.open('http://bitbucket.org/<repo>/raw/tip/<path>'
...
HTTPError: HTTP Error 403: FORBIDDEN
}}}
This also fails if you use a basic {{
{HTTPPasswordMgr}}} and specify the realm manually.
I discovered this when trying to use Review Board (1.5 beta 2) with a private Bitbucket repository. Review Board uses urllib2 in a manner nearly exactly like the above (see http://github.com/reviewboard/reviewboard/blob/master/reviewboard/scmtools/hg.py#L105).
I'm going to file this same bug against Review Board in a moment, and it probably won't be too hard to hack around Bitbucket's behavior and make Review Board work. But it is indeed a Bitbucket bug: Bitbucket should be sending a HTTP 401 response.