Add WWW-Authenticate header and ban characters in path that can't be included in its value

Per RFC 7235, the realm value can be a quoted-string. That's defined in RFC 7230 and can contain HTAB or SP and up except for the double quote, backslash, or DEL. (Double quote and backslash could be escaped by backslash, but I won't bother with implementing that until it's needed.)
3 years ago · 7acc56d2bc
--- a/irclog.py
+++ b/irclog.py
@@ -170,8 +170,8 @@ class Config(dict):
 					channel['path'] = key
 				if not isinstance(channel['path'], str):
 					raise InvalidConfig(f'Invalid channel {key!r} path: not a string')
 				if '/' in channel['path'] or '\\' in channel['path']: #TODO Anything else?
 					raise InvalidConfig(f'Invalid channel {key!r} path: contains forward or backward slashes')
 				if any(x in channel['path'] for x in itertools.chain(map(chr, range(32)), ('/', '\\', '"', '\x7F'))):
 					raise InvalidConfig(f'Invalid channel {key!r} path: contains invalid characters')
 				if channel['path'] == 'general':
 					raise InvalidConfig(f'Invalid channel {key!r} path: cannot be "general"')
 				if channel['path'] in seenPaths:
@@ -736,7 +736,7 @@ class WebServer:
 			authHeader = request.headers.get('Authorization')
 			if not authHeader or authHeader != auth:
 				self.logger.info(f'Bad request {id(request)}: authentication failed: {authHeader!r} != {auth}')
 				raise aiohttp.web.HTTPUnauthorized()
 				raise aiohttp.web.HTTPUnauthorized(headers = {'WWW-Authenticate': f'Basic, realm="{request.match_info["path"]}"'})

 	async def _channel_handler(self, request, handler):
 		await self._check_valid_channel(request)