Comment 3 for bug 974319

It took me a while to track down this and I am not sure I still fully understand this.

So what happen when the client does this kind of request :

GET /v2.0/tokens/foo bar HTTP/1.1
Host: localhost:35357
Accept-Encoding: identity
X-Auth-Token: ADMIN

We are getting a HTML Error message :

http://pastie.org/4052089/text

But for a good query we are getting :

http://pastie.org/pastes/4052093/text

Note that this one is not a HTML error but a standard error.

So when using httplib read that via the function read_status :

http://pastie.org/4052134

at line 11 it tries to do some splitting of the first line to get the http error, still cannot do it on line 14 but cannot do it since we HTTPBaseServer come back with an HTML <head> as the first line, so it goes on until line 27 :

return "HTTP/0.9", 200, ""

and return a 200 error.

It all come down to BaseHttpServer DEFAULT_ERROR_MESSAGE :

# Default error message template
DEFAULT_ERROR_MESSAGE = """\
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code %(code)d.
<p>Message: %(message)s.
<p>Error code explanation: %(code)s = %(explain)s.
</body>
"""

which I think should be non html and the %(message)s is XSS vulnerable as well (i.e: http://mail.python.org/pipermail/python-bugs-list/2005-June/029368.html)

so well HTTPBaseServer is buggy and httplib should detect that..

We could maybe try with another library than httplib to validate the token in auth_token.py

Let me know what do you guys think.