bpo-35647: Fix path check in cookiejar (#11436)

* Refactor cookie path check as per RFC 6265

* Add tests for prefix match of path

* Add news entry

* Fix set_ok_path and refactor tests

* Use slice for last letter
This commit is contained in:
Xtreak 2019-03-10 22:42:28 +05:30 committed by Senthil Kumaran
parent 1aeeaeb79e
commit 0e1f1f0105
3 changed files with 36 additions and 5 deletions

View File

@ -993,7 +993,7 @@ class DefaultCookiePolicy(CookiePolicy):
req_path = request_path(request) req_path = request_path(request)
if ((cookie.version > 0 or if ((cookie.version > 0 or
(cookie.version == 0 and self.strict_ns_set_path)) and (cookie.version == 0 and self.strict_ns_set_path)) and
not req_path.startswith(cookie.path)): not self.path_return_ok(cookie.path, request)):
_debug(" path attribute %s is not a prefix of request " _debug(" path attribute %s is not a prefix of request "
"path %s", cookie.path, req_path) "path %s", cookie.path, req_path)
return False return False
@ -1200,11 +1200,15 @@ class DefaultCookiePolicy(CookiePolicy):
def path_return_ok(self, path, request): def path_return_ok(self, path, request):
_debug("- checking cookie path=%s", path) _debug("- checking cookie path=%s", path)
req_path = request_path(request) req_path = request_path(request)
if not req_path.startswith(path): pathlen = len(path)
_debug(" %s does not path-match %s", req_path, path) if req_path == path:
return False return True
elif (req_path.startswith(path) and
(path.endswith("/") or req_path[pathlen:pathlen+1] == "/")):
return True return True
_debug(" %s does not path-match %s", req_path, path)
return False
def vals_sorted_by_key(adict): def vals_sorted_by_key(adict):
keys = sorted(adict.keys()) keys = sorted(adict.keys())

View File

@ -720,6 +720,30 @@ class CookieTests(unittest.TestCase):
req = urllib.request.Request("http://www.example.com") req = urllib.request.Request("http://www.example.com")
self.assertEqual(request_path(req), "/") self.assertEqual(request_path(req), "/")
def test_path_prefix_match(self):
pol = DefaultCookiePolicy()
strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True)
c = CookieJar(pol)
base_url = "http://bar.com"
interact_netscape(c, base_url, 'spam=eggs; Path=/foo')
cookie = c._cookies['bar.com']['/foo']['spam']
for path, ok in [('/foo', True),
('/foo/', True),
('/foo/bar', True),
('/', False),
('/foobad/foo', False)]:
url = f'{base_url}{path}'
req = urllib.request.Request(url)
h = interact_netscape(c, url)
if ok:
self.assertIn('spam=eggs', h, f"cookie not set for {path}")
self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req))
else:
self.assertNotIn('spam=eggs', h, f"cookie set for {path}")
self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req))
def test_request_port(self): def test_request_port(self):
req = urllib.request.Request("http://www.acme.com:1234/", req = urllib.request.Request("http://www.acme.com:1234/",
headers={"Host": "www.acme.com:4321"}) headers={"Host": "www.acme.com:4321"})

View File

@ -0,0 +1,3 @@
Don't set cookie for a request when the request path is a prefix match of
the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan
Singaravelan.