diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
index 0ba8200f325a62..07ec9785ec3c47 100644
--- a/Lib/http/cookiejar.py
+++ b/Lib/http/cookiejar.py
@@ -992,7 +992,7 @@ def set_ok_path(self, cookie, request):
req_path = request_path(request)
if ((cookie.version > 0 or
(cookie.version == 0 and self.strict_ns_set_path)) and
- not req_path.startswith(cookie.path)):
+ not self.path_return_ok(cookie.path, request)):
_debug(" path attribute %s is not a prefix of request "
"path %s", cookie.path, req_path)
return False
@@ -1190,11 +1190,15 @@ def domain_return_ok(self, domain, request):
def path_return_ok(self, path, request):
_debug("- checking cookie path=%s", path)
req_path = request_path(request)
- if not req_path.startswith(path):
- _debug(" %s does not path-match %s", req_path, path)
- return False
- return True
+ pathlen = len(path)
+ if req_path == path:
+ return True
+ elif (req_path.startswith(path) and
+ (path.endswith("/") or req_path[pathlen:pathlen+1] == "/")):
+ return True
+ _debug(" %s does not path-match %s", req_path, path)
+ return False
def vals_sorted_by_key(adict):
keys = sorted(adict.keys())
diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
index 8dbea3325d9b99..8bdaf5c5754829 100644
--- a/Lib/test/test_http_cookiejar.py
+++ b/Lib/test/test_http_cookiejar.py
@@ -692,6 +692,30 @@ def test_request_path(self):
req = urllib.request.Request("http://www.example.com")
self.assertEqual(request_path(req), "/")
+ def test_path_prefix_match(self):
+ pol = DefaultCookiePolicy()
+ strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True)
+
+ c = CookieJar(pol)
+ base_url = "http://bar.com"
+ interact_netscape(c, base_url, 'spam=eggs; Path=/foo')
+ cookie = c._cookies['bar.com']['/foo']['spam']
+
+ for path, ok in [('/foo', True),
+ ('/foo/', True),
+ ('/foo/bar', True),
+ ('/', False),
+ ('/foobad/foo', False)]:
+ url = f'{base_url}{path}'
+ req = urllib.request.Request(url)
+ h = interact_netscape(c, url)
+ if ok:
+ self.assertIn('spam=eggs', h, f"cookie not set for {path}")
+ self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req))
+ else:
+ self.assertNotIn('spam=eggs', h, f"cookie set for {path}")
+ self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req))
+
def test_request_port(self):
req = urllib.request.Request("http://www.acme.com:1234/",
headers={"Host": "www.acme.com:4321"})
diff --git a/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst
new file mode 100644
index 00000000000000..032e1e2c00bc5d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst
@@ -0,0 +1,3 @@
+Don't set cookie for a request when the request path is a prefix match of
+the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan
+Singaravelan.
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy