merge heads

1 files changed, 4 insertions, 1 deletions

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index a5f0866cb6..96bb8d7068 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -895,7 +895,7 @@ class AbstractBasicAuthHandler:
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
     rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-                    'realm=(["\'])(.*?)\\2', re.I)
+                    'realm=(["\']?)([^"\']*)\\2', re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
     # end of section 2, and section 1.2 immediately after "credentials"
@@ -934,6 +934,9 @@ class AbstractBasicAuthHandler:
                 mo = AbstractBasicAuthHandler.rx.search(authreq)
                 if mo:
                     scheme, quote, realm = mo.groups()
+                    if quote not in ['"',"'"]:
+                        warnings.warn("Basic Auth Realm was unquoted",
+                                      UserWarning, 2)
                     if scheme.lower() == 'basic':
                         response = self.retry_http_basic_auth(host, req, realm)
                         if response and response.code != 401: