From d67d18e83ba60567f99135c73fd1229026436443 Mon Sep 17 00:00:00 2001 From: xtreak Date: Wed, 31 Oct 2018 15:37:18 +0530 Subject: [PATCH 1/7] Prefix domain with dot for proper subdomain validation in domain_return_ok --- Lib/http/cookiejar.py | 2 ++ Lib/test/test_http_cookiejar.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index 0ba8200f325a62..da7462701bee27 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -1173,6 +1173,8 @@ def domain_return_ok(self, domain, request): req_host = "."+req_host if not erhn.startswith("."): erhn = "."+erhn + if not domain.startswith("."): + domain = "."+domain if not (req_host.endswith(domain) or erhn.endswith(domain)): #_debug(" request domain %s does not match cookie domain %s", # req_host, domain) diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index 8dbea3325d9b99..027c58a842eb20 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -425,6 +425,8 @@ def test_domain_return_ok(self): ("http://foo/", "foo", True), ("http://foo/", "foo.local", True), ("http://foo/", ".local", True), + ("http://barfoo.com", ".foo.com", False), + ("http://barfoo.com", "foo.com", False), ]: request = urllib.request.Request(url) r = pol.domain_return_ok(domain, request) From 2816aa8eb2f99f7ef18ed7e3a22ce70997599cd1 Mon Sep 17 00:00:00 2001 From: xtreak Date: Wed, 31 Oct 2018 15:55:24 +0530 Subject: [PATCH 2/7] Add NEWS entry --- .../next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst diff --git a/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst new file mode 100644 index 00000000000000..fbe6b1bb0137d7 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst @@ -0,0 +1,2 @@ +Prefix domain with dot for proper subdomain validation in +:meth:`http.cookiejar.DefaultCookiePolicy.domain_return_ok` From dfdc776358e8cbe2e9f4e43e3869749e43876128 Mon Sep 17 00:00:00 2001 From: xtreak Date: Mon, 24 Dec 2018 13:41:07 +0530 Subject: [PATCH 3/7] Prefix dot only for suffix check and add test --- Lib/http/cookiejar.py | 7 ++++--- Lib/test/test_http_cookiejar.py | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index da7462701bee27..691225dd9f57bf 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -1169,13 +1169,14 @@ def domain_return_ok(self, domain, request): # Liberal check of. This is here as an optimization to avoid # having to load lots of MSIE cookie files unless necessary. req_host, erhn = eff_request_host(request) + suffix_check_domain = domain if not req_host.startswith("."): req_host = "."+req_host if not erhn.startswith("."): erhn = "."+erhn - if not domain.startswith("."): - domain = "."+domain - if not (req_host.endswith(domain) or erhn.endswith(domain)): + if suffix_check_domain and not suffix_check_domain.startswith("."): + suffix_check_domain = "." + suffix_check_domain + if not (req_host.endswith(suffix_check_domain) or erhn.endswith(suffix_check_domain)): #_debug(" request domain %s does not match cookie domain %s", # req_host, domain) return False diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index 027c58a842eb20..8958a3b9caa1d2 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -961,6 +961,31 @@ def test_domain_block(self): c.add_cookie_header(req) self.assertFalse(req.has_header("Cookie")) + c.clear() + + pol.set_blocked_domains([]) + req = urllib.request.Request("http://acme.com/") + res = FakeResponse(headers, "http://acme.com/") + c.extract_cookies(res, req) + self.assertEqual(len(c), 1) + + req = urllib.request.Request("http://acme.com/") + c.add_cookie_header(req) + self.assertTrue(req.has_header("Cookie")) + + req = urllib.request.Request("http://badacme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + + p = pol.set_blocked_domains(["acme.com"]) + req = urllib.request.Request("http://acme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + + req = urllib.request.Request("http://badacme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + def test_secure(self): for ns in True, False: for whitespace in " ", "": From ecae4475cc12e5d09c98557559c7f61e4806b509 Mon Sep 17 00:00:00 2001 From: xtreak Date: Mon, 24 Dec 2018 15:12:55 +0530 Subject: [PATCH 4/7] Reword news entry and added extra test --- Lib/test/test_http_cookiejar.py | 1 + .../next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index 8958a3b9caa1d2..feddb5e3539b4d 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -415,6 +415,7 @@ def test_domain_return_ok(self): ("http://foo.bar.com/", ".foo.bar.com", True), ("http://foo.bar.com/", "foo.bar.com", True), ("http://foo.bar.com/", ".bar.com", True), + ("http://foo.bar.com/", "bar.com", True), ("http://foo.bar.com/", "com", True), ("http://foo.com/", "rhubarb.foo.com", False), ("http://foo.com/", ".foo.com", True), diff --git a/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst index fbe6b1bb0137d7..6da983c2b93148 100644 --- a/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst +++ b/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst @@ -1,2 +1,4 @@ -Prefix domain with dot for proper subdomain validation in -:meth:`http.cookiejar.DefaultCookiePolicy.domain_return_ok` +Don't send cookies of domain A without Domain attribute to domain B +when domain A is a suffix match of domain B while using a cookiejar +with :meth:`http.cookiejar.DefaultCookiePolicy` policy. Patch by +Karthikeyan Singaravelan. From b2ab4a3cb6e216026530dda26b999e17c8c6ee38 Mon Sep 17 00:00:00 2001 From: xtreak Date: Mon, 24 Dec 2018 17:08:03 +0530 Subject: [PATCH 5/7] Refactor if clause and fix news entry --- Lib/http/cookiejar.py | 9 +++++---- .../Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index 691225dd9f57bf..bb5f9405d1eb33 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -1169,14 +1169,15 @@ def domain_return_ok(self, domain, request): # Liberal check of. This is here as an optimization to avoid # having to load lots of MSIE cookie files unless necessary. req_host, erhn = eff_request_host(request) - suffix_check_domain = domain if not req_host.startswith("."): req_host = "."+req_host if not erhn.startswith("."): erhn = "."+erhn - if suffix_check_domain and not suffix_check_domain.startswith("."): - suffix_check_domain = "." + suffix_check_domain - if not (req_host.endswith(suffix_check_domain) or erhn.endswith(suffix_check_domain)): + if domain and not domain.startswith("."): + dotdomain = "." + domain + else: + dotdomain = domain + if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): #_debug(" request domain %s does not match cookie domain %s", # req_host, domain) return False diff --git a/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst index 6da983c2b93148..d2eb8f1f352c21 100644 --- a/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst +++ b/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst @@ -1,4 +1,4 @@ Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar -with :meth:`http.cookiejar.DefaultCookiePolicy` policy. Patch by +with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. From b8e2df1dce7c38890ba238ebf449dceb65217a11 Mon Sep 17 00:00:00 2001 From: xtreak Date: Tue, 25 Dec 2018 20:28:40 +0530 Subject: [PATCH 6/7] Ensure return_ok_domain does proper validation --- Lib/http/cookiejar.py | 7 ++++++- Lib/test/test_http_cookiejar.py | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index bb5f9405d1eb33..f46e677e08d0cb 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -1147,6 +1147,11 @@ def return_ok_domain(self, cookie, request): req_host, erhn = eff_request_host(request) domain = cookie.domain + if domain and not domain.startswith("."): + dotdomain = "." + domain + else: + dotdomain = domain + # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't if (cookie.version == 0 and (self.strict_ns_domain & self.DomainStrictNonDomain) and @@ -1159,7 +1164,7 @@ def return_ok_domain(self, cookie, request): _debug(" effective request-host name %s does not domain-match " "RFC 2965 cookie domain %s", erhn, domain) return False - if cookie.version == 0 and not ("."+erhn).endswith(domain): + if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): _debug(" request-host %s does not match Netscape cookie domain " "%s", req_host, domain) return False diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index feddb5e3539b4d..73acfc5700205e 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -967,6 +967,7 @@ def test_domain_block(self): pol.set_blocked_domains([]) req = urllib.request.Request("http://acme.com/") res = FakeResponse(headers, "http://acme.com/") + cookies = c.make_cookies(res, req) c.extract_cookies(res, req) self.assertEqual(len(c), 1) @@ -976,6 +977,7 @@ def test_domain_block(self): req = urllib.request.Request("http://badacme.com/") c.add_cookie_header(req) + self.assertFalse(pol.return_ok(cookies[0], req)) self.assertFalse(req.has_header("Cookie")) p = pol.set_blocked_domains(["acme.com"]) From 9d1eed360722ccacc48c4f5d2fb97b61157197a5 Mon Sep 17 00:00:00 2001 From: xtreak Date: Sat, 9 Mar 2019 15:18:40 +0530 Subject: [PATCH 7/7] Move NEWS to security --- .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Misc/NEWS.d/next/{Library => Security}/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst (100%) diff --git a/Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst similarity index 100% rename from Misc/NEWS.d/next/Library/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst rename to Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy