Skip to content

bpo-35121: prefix dot in domain for proper subdomain validation #10258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 10, 2019
Merged

bpo-35121: prefix dot in domain for proper subdomain validation #10258

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d67d18e
Prefix domain with dot for proper subdomain validation in domain_retu…
tirkarthi Oct 31, 2018
2816aa8
Add NEWS entry
tirkarthi Oct 31, 2018
dfdc776
Prefix dot only for suffix check and add test
tirkarthi Dec 24, 2018
ecae447
Reword news entry and added extra test
tirkarthi Dec 24, 2018
b2ab4a3
Refactor if clause and fix news entry
tirkarthi Dec 24, 2018
b8e2df1
Ensure return_ok_domain does proper validation
tirkarthi Dec 25, 2018
9d1eed3
Move NEWS to security
tirkarthi Mar 9, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion Lib/http/cookiejar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1169,11 +1169,14 @@ def domain_return_ok(self, domain, request):
# Liberal check of. This is here as an optimization to avoid
# having to load lots of MSIE cookie files unless necessary.
req_host, erhn = eff_request_host(request)
suffix_check_domain = domain
if not req_host.startswith("."):
req_host = "."+req_host
if not erhn.startswith("."):
erhn = "."+erhn
if not (req_host.endswith(domain) or erhn.endswith(domain)):
if suffix_check_domain and not suffix_check_domain.startswith("."):
suffix_check_domain = "." + suffix_check_domain
if not (req_host.endswith(suffix_check_domain) or erhn.endswith(suffix_check_domain)):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New code should conform to PEP 8.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use shorter name, e.g. dotdomain?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dotdomain sounds good to me. Perhaps restructure the clause as below removing the assignment at the start?

if domain and not domain.startswith("."):
    dotdomain = "." + domain
else:
    dotdomain = domain

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the code to use dotdomain as mentioned in #10258 (comment). Thanks.

#_debug(" request domain %s does not match cookie domain %s",
# req_host, domain)
return False
Expand Down
27 changes: 27 additions & 0 deletions Lib/test/test_http_cookiejar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,6 +425,8 @@ def test_domain_return_ok(self):
("http://foo/", "foo", True),
("http://foo/", "foo.local", True),
("http://foo/", ".local", True),
("http://barfoo.com", ".foo.com", False),
("http://barfoo.com", "foo.com", False),
]:
request = urllib.request.Request(url)
r = pol.domain_return_ok(domain, request)
Expand Down Expand Up @@ -959,6 +961,31 @@ def test_domain_block(self):
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

c.clear()

pol.set_blocked_domains([])
req = urllib.request.Request("http://acme.com/")
res = FakeResponse(headers, "http://acme.com/")
c.extract_cookies(res, req)
self.assertEqual(len(c), 1)

req = urllib.request.Request("http://acme.com/")
c.add_cookie_header(req)
self.assertTrue(req.has_header("Cookie"))

req = urllib.request.Request("http://badacme.com/")
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

p = pol.set_blocked_domains(["acme.com"])
req = urllib.request.Request("http://acme.com/")
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

req = urllib.request.Request("http://badacme.com/")
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))

def test_secure(self):
for ns in True, False:
for whitespace in " ", "":
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Prefix domain with dot for proper subdomain validation in
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This describes what the code does, which is an implementation detail. A news entry should describe the change in the user visible behavior.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a note about it but this is also affects when domain_return_ok is present. I couldn't come up with a better wording since I am not a native speaker. Suggestions welcome. This started as a bug fix but since this
turned out to be a security issue is it okay to move this to security section?

Don't send cookies of domain A without Domain attribute to domain B
when domain A is a suffix match of domain B while using a cookiejar
with :meth:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
Karthikeyan Singaravelan.

:meth:`http.cookiejar.DefaultCookiePolicy.domain_return_ok`
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy