Skip to content

Fix substring matches in WWW-Authenticate parsing#3041

Open
Whning0513 wants to merge 4 commits into
modelcontextprotocol:mainfrom
Whning0513:fix-www-auth-substring-match-3009
Open

Fix substring matches in WWW-Authenticate parsing#3041
Whning0513 wants to merge 4 commits into
modelcontextprotocol:mainfrom
Whning0513:fix-www-auth-substring-match-3009

Conversation

@Whning0513

Copy link
Copy Markdown

Fixes #3009.

extract_field_from_www_auth currently matches field_name as a substring of another auth-param name, so fields like scope can be shadowed by error_scope and resource_metadata can be shadowed by x_resource_metadata.

This change anchors the auth-param name to the start of the header or a parameter separator, and adds regressions for both the shadowing and false-positive cases.

Tested with:

  • PYTHONPATH=src:src/mcp-types python -m pytest -q tests/client/test_auth.py -k "extract_field_from_www_auth_valid_cases or extract_field_from_www_auth_invalid_cases"
  • PYTHONPATH=src:src/mcp-types python -m pytest -q tests/client/test_scope_bug_1630.py
  • PYTHONPATH=src:src/mcp-types python -m pytest -q tests/client/test_auth.py

Copilot AI review requested due to automatic review settings July 1, 2026 13:03

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a correctness issue in extract_field_from_www_auth where an auth-param name could be matched as a substring of a different param name (e.g., scope incorrectly matching inside error_scope), and adds regression coverage to prevent reintroducing the bug.

Changes:

  • Anchor auth-param name matching to the start of the header or a parameter separator to avoid substring shadowing.
  • Escape field_name in the regex to ensure literal matching.
  • Add regression test cases covering both “shadowing” (real param present but a decoy exists) and “false positive” (only decoy param exists).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/mcp/client/auth/utils.py Updates extract_field_from_www_auth regex to require a real auth-param name boundary and escape the field name.
tests/client/test_auth.py Adds regression cases ensuring substring-shadowing and substring-only params no longer match.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread src/mcp/client/auth/utils.py Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread src/mcp/client/auth/utils.py Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 2 files (changes from recent commits).

Tip: Review your code locally with the cubic CLI to iterate faster.

Fix all with cubic | Re-trigger cubic

Comment thread src/mcp/client/auth/utils.py Outdated
Comment thread src/mcp/client/auth/utils.py
@Whning0513

Copy link
Copy Markdown
Author

Followed up on two additional parser edge cases. This now keeps the first Bearer challenge when multiple Bearer challenges appear in one WWW-Authenticate header, and it accepts auth-params written with optional whitespace around = (for example scope = "read write"). I added regression coverage for both cases and reran the focused auth tests locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

WWW-Authenticate parsing matches a field name as a substring of another auth-param

2 participants