Skip to content

bpo-35121: prefix dot in domain for proper subdomain validation #10258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 10, 2019
Merged

bpo-35121: prefix dot in domain for proper subdomain validation #10258

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d67d18e
Prefix domain with dot for proper subdomain validation in domain_retu…
tirkarthi Oct 31, 2018
2816aa8
Add NEWS entry
tirkarthi Oct 31, 2018
dfdc776
Prefix dot only for suffix check and add test
tirkarthi Dec 24, 2018
ecae447
Reword news entry and added extra test
tirkarthi Dec 24, 2018
b2ab4a3
Refactor if clause and fix news entry
tirkarthi Dec 24, 2018
b8e2df1
Ensure return_ok_domain does proper validation
tirkarthi Dec 25, 2018
9d1eed3
Move NEWS to security
tirkarthi Mar 9, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Prefix domain with dot for proper subdomain validation in domain_retu… 
…rn_ok
  • Loading branch information
@tirkarthi
tirkarthi committed Dec 24, 2018
commit d67d18e83ba60567f99135c73fd1229026436443
2 changes: 2 additions & 0 deletions Lib/http/cookiejar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1173,6 +1173,8 @@ def domain_return_ok(self, domain, request):
req_host = "."+req_host
if not erhn.startswith("."):
erhn = "."+erhn
if not domain.startswith("."):
domain = "."+domain
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will affect calls of self.is_blocked(domain) and self.is_not_allowed(domain) below.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @serhiy-storchaka . My bad that I looked into fixing the issue and not about the underlying callers that use the dot-prefixed domain. Yes, adding the extra dot makes the comparison to fail where A has an extra dot at start due to my patch at https://github.com/python/cpython/blob/f30060dcd07cd53879226816512ea80bff0d0a78/Lib/http/cookiejar.py#L601 .

Sample program where the domain should be blocked

import urllib
from http.cookiejar import DefaultCookiePolicy

policy = DefaultCookiePolicy(blocked_domains=['xxxfoo.co.jp'])
req = urllib.request.Request('https://xxxfoo.co.jp/')
print(policy.domain_return_ok('xxxfoo.co.jp', req))
➜  cpython git:(master) ✗ python3.7 /tmp/bar.py 
False

➜  cpython git:(bpo35121) ✗ ./python.exe /tmp/bar.py  
True

With patch this returns true but should be false since the domain is blocked and the prefix dot makes the comparison .xxxfoo.co.jp == xxxfoo.co.jp . One fix would be to use dot prefixed domain only for the checks at

https://github.com/python/cpython/blob/f30060dcd07cd53879226816512ea80bff0d0a78/Lib/http/cookiejar.py#L1178

I think this needs to be fixed but I am also afraid I might accidentally break something here since the function itself received no changes since 2004.

if not (req_host.endswith(domain) or erhn.endswith(domain)):
#_debug(" request domain %s does not match cookie domain %s",
# req_host, domain)
Expand Down
2 changes: 2 additions & 0 deletions Lib/test/test_http_cookiejar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,6 +425,8 @@ def test_domain_return_ok(self):
("http://foo/", "foo", True),
("http://foo/", "foo.local", True),
("http://foo/", ".local", True),
("http://barfoo.com", ".foo.com", False),
("http://barfoo.com", "foo.com", False),
]:
request = urllib.request.Request(url)
r = pol.domain_return_ok(domain, request)
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy