Skip to content

bpo-35121: prefix dot in domain for proper subdomain validation #10258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 10, 2019
Merged

bpo-35121: prefix dot in domain for proper subdomain validation #10258

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d67d18e
Prefix domain with dot for proper subdomain validation in domain_retu…
tirkarthi Oct 31, 2018
2816aa8
Add NEWS entry
tirkarthi Oct 31, 2018
dfdc776
Prefix dot only for suffix check and add test
tirkarthi Dec 24, 2018
ecae447
Reword news entry and added extra test
tirkarthi Dec 24, 2018
b2ab4a3
Refactor if clause and fix news entry
tirkarthi Dec 24, 2018
b8e2df1
Ensure return_ok_domain does proper validation
tirkarthi Dec 25, 2018
9d1eed3
Move NEWS to security
tirkarthi Mar 9, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Prefix dot only for suffix check and add test
  • Loading branch information
@tirkarthi
tirkarthi committed Dec 24, 2018
commit dfdc776358e8cbe2e9f4e43e3869749e43876128
7 changes: 4 additions & 3 deletions Lib/http/cookiejar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1169,13 +1169,14 @@ def domain_return_ok(self, domain, request):
# Liberal check of. This is here as an optimization to avoid
# having to load lots of MSIE cookie files unless necessary.
req_host, erhn = eff_request_host(request)
suffix_check_domain = domain
if not req_host.startswith("."):
req_host = "."+req_host
if not erhn.startswith("."):
erhn = "."+erhn
if not domain.startswith("."):
domain = "."+domain
if not (req_host.endswith(domain) or erhn.endswith(domain)):
if suffix_check_domain and not suffix_check_domain.startswith("."):
suffix_check_domain = "." + suffix_check_domain
if not (req_host.endswith(suffix_check_domain) or erhn.endswith(suffix_check_domain)):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New code should conform to PEP 8.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use shorter name, e.g. dotdomain?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dotdomain sounds good to me. Perhaps restructure the clause as below removing the assignment at the start?

if domain and not domain.startswith("."):
    dotdomain = "." + domain
else:
    dotdomain = domain

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the code to use dotdomain as mentioned in #10258 (comment). Thanks.

#_debug(" request domain %s does not match cookie domain %s",
# req_host, domain)
return False
Expand Down
25 changes: 25 additions & 0 deletions Lib/test/test_http_cookiejar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -961,6 +961,31 @@ def test_domain_block(self):
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

c.clear()

pol.set_blocked_domains([])
req = urllib.request.Request("http://acme.com/")
res = FakeResponse(headers, "http://acme.com/")
c.extract_cookies(res, req)
self.assertEqual(len(c), 1)

req = urllib.request.Request("http://acme.com/")
c.add_cookie_header(req)
self.assertTrue(req.has_header("Cookie"))

req = urllib.request.Request("http://badacme.com/")
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

p = pol.set_blocked_domains(["acme.com"])
req = urllib.request.Request("http://acme.com/")
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

req = urllib.request.Request("http://badacme.com/")
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

def test_secure(self):
for ns in True, False:
for whitespace in " ", "":
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy