bpo-35647: Fix path check in cookiejar (#11436)
* Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter
This commit is contained in:
parent
1aeeaeb79e
commit
0e1f1f0105
|
@ -993,7 +993,7 @@ class DefaultCookiePolicy(CookiePolicy):
|
|||
req_path = request_path(request)
|
||||
if ((cookie.version > 0 or
|
||||
(cookie.version == 0 and self.strict_ns_set_path)) and
|
||||
not req_path.startswith(cookie.path)):
|
||||
not self.path_return_ok(cookie.path, request)):
|
||||
_debug(" path attribute %s is not a prefix of request "
|
||||
"path %s", cookie.path, req_path)
|
||||
return False
|
||||
|
@ -1200,11 +1200,15 @@ class DefaultCookiePolicy(CookiePolicy):
|
|||
def path_return_ok(self, path, request):
|
||||
_debug("- checking cookie path=%s", path)
|
||||
req_path = request_path(request)
|
||||
if not req_path.startswith(path):
|
||||
_debug(" %s does not path-match %s", req_path, path)
|
||||
return False
|
||||
return True
|
||||
pathlen = len(path)
|
||||
if req_path == path:
|
||||
return True
|
||||
elif (req_path.startswith(path) and
|
||||
(path.endswith("/") or req_path[pathlen:pathlen+1] == "/")):
|
||||
return True
|
||||
|
||||
_debug(" %s does not path-match %s", req_path, path)
|
||||
return False
|
||||
|
||||
def vals_sorted_by_key(adict):
|
||||
keys = sorted(adict.keys())
|
||||
|
|
|
@ -720,6 +720,30 @@ class CookieTests(unittest.TestCase):
|
|||
req = urllib.request.Request("http://www.example.com")
|
||||
self.assertEqual(request_path(req), "/")
|
||||
|
||||
def test_path_prefix_match(self):
|
||||
pol = DefaultCookiePolicy()
|
||||
strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True)
|
||||
|
||||
c = CookieJar(pol)
|
||||
base_url = "http://bar.com"
|
||||
interact_netscape(c, base_url, 'spam=eggs; Path=/foo')
|
||||
cookie = c._cookies['bar.com']['/foo']['spam']
|
||||
|
||||
for path, ok in [('/foo', True),
|
||||
('/foo/', True),
|
||||
('/foo/bar', True),
|
||||
('/', False),
|
||||
('/foobad/foo', False)]:
|
||||
url = f'{base_url}{path}'
|
||||
req = urllib.request.Request(url)
|
||||
h = interact_netscape(c, url)
|
||||
if ok:
|
||||
self.assertIn('spam=eggs', h, f"cookie not set for {path}")
|
||||
self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req))
|
||||
else:
|
||||
self.assertNotIn('spam=eggs', h, f"cookie set for {path}")
|
||||
self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req))
|
||||
|
||||
def test_request_port(self):
|
||||
req = urllib.request.Request("http://www.acme.com:1234/",
|
||||
headers={"Host": "www.acme.com:4321"})
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
Don't set cookie for a request when the request path is a prefix match of
|
||||
the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan
|
||||
Singaravelan.
|
Loading…
Reference in New Issue