traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[2.7] bpo-35647: Fix path check in cookiejar. (GH-11436) (GH-13427)

This commit is contained in:
Xtreak 2019-06-15 21:59:29 +05:30 committed by Serhiy Storchaka
parent 979daae300
commit ee15aa2b85
3 changed files with 41 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Lib/cookielib.py
View File

@ -984,7 +984,7 @@ class DefaultCookiePolicy(CookiePolicy):
req_path = request_path(request) req_path = request_path(request)
if ((cookie.version > 0 or if ((cookie.version > 0 or
(cookie.version == 0 and self.strict_ns_set_path)) and (cookie.version == 0 and self.strict_ns_set_path)) and
not req_path.startswith(cookie.path)): not self.path_return_ok(cookie.path, request)):
_debug(" path attribute %s is not a prefix of request " _debug(" path attribute %s is not a prefix of request "
"path %s", cookie.path, req_path) "path %s", cookie.path, req_path)
return False return False
@ -1191,11 +1191,15 @@ class DefaultCookiePolicy(CookiePolicy):
def path_return_ok(self, path, request): def path_return_ok(self, path, request):
_debug("- checking cookie path=%s", path) _debug("- checking cookie path=%s", path)
req_path = request_path(request) req_path = request_path(request)
if not req_path.startswith(path): pathlen = len(path)
_debug(" %s does not path-match %s", req_path, path) if req_path == path:
return False return True
return True elif (req_path.startswith(path) and
(path.endswith("/") or req_path[pathlen:pathlen+1] == "/")):
return True
_debug(" %s does not path-match %s", req_path, path)
return False
def vals_sorted_by_key(adict): def vals_sorted_by_key(adict):
keys = adict.keys() keys = adict.keys()

29
Lib/test/test_cookielib.py
View File

@ -649,6 +649,35 @@ class CookieTests(TestCase):
req = Request("http://www.example.com") req = Request("http://www.example.com")
self.assertEqual(request_path(req), "/") self.assertEqual(request_path(req), "/")
def test_path_prefix_match(self):
from cookielib import CookieJar, DefaultCookiePolicy
from urllib2 import Request
pol = DefaultCookiePolicy()
strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True)
c = CookieJar(pol)
base_url = "http://bar.com"
interact_netscape(c, base_url, 'spam=eggs; Path=/foo')
cookie = c._cookies['bar.com']['/foo']['spam']
for path, ok in [('/foo', True),
('/foo/', True),
('/foo/bar', True),
('/', False),
('/foobad/foo', False)]:
url = '{0}{1}'.format(base_url, path)
req = Request(url)
h = interact_netscape(c, url)
if ok:
self.assertIn('spam=eggs', h,
"cookie not set for {0}".format(path))
self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req))
else:
self.assertNotIn('spam=eggs', h,
"cookie set for {0}".format(path))
self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req))
def test_request_port(self): def test_request_port(self):
from urllib2 import Request from urllib2 import Request
from cookielib import request_port, DEFAULT_HTTP_PORT from cookielib import request_port, DEFAULT_HTTP_PORT

3
Misc/NEWS.d/next/Security/2019-05-20-00-49-29.bpo-35647.oWmiGU.rst Normal file
View File

@ -0,0 +1,3 @@
Don't set cookie for a request when the request path is a prefix match of
the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan
Singaravelan.