From def9e64d6aee945c19d9dab896fa91e915d96843 Mon Sep 17 00:00:00 2001 From: Karthikeyan Singaravelan Date: Mon, 20 May 2019 00:33:52 +0530 Subject: [PATCH 1/2] Prefix dot in domain for proper subdomain validation --- Lib/cookielib.py | 13 +++++++++++-- Lib/test/test_cookielib.py | 30 ++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/Lib/cookielib.py b/Lib/cookielib.py index 2dd7c48728e098..0b471a42f29690 100644 --- a/Lib/cookielib.py +++ b/Lib/cookielib.py @@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request): req_host, erhn = eff_request_host(request) domain = cookie.domain + if domain and not domain.startswith("."): + dotdomain = "." + domain + else: + dotdomain = domain + # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't if (cookie.version == 0 and (self.strict_ns_domain & self.DomainStrictNonDomain) and @@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request): _debug(" effective request-host name %s does not domain-match " "RFC 2965 cookie domain %s", erhn, domain) return False - if cookie.version == 0 and not ("."+erhn).endswith(domain): + if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): _debug(" request-host %s does not match Netscape cookie domain " "%s", req_host, domain) return False @@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request): req_host = "."+req_host if not erhn.startswith("."): erhn = "."+erhn - if not (req_host.endswith(domain) or erhn.endswith(domain)): + if domain and not domain.startswith("."): + dotdomain = "." + domain + else: + dotdomain = domain + if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): #_debug(" request domain %s does not match cookie domain %s", # req_host, domain) return False diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py index f2dd9727d13708..7f7ff614d61d3a 100644 --- a/Lib/test/test_cookielib.py +++ b/Lib/test/test_cookielib.py @@ -368,6 +368,7 @@ def test_domain_return_ok(self): ("http://foo.bar.com/", ".foo.bar.com", True), ("http://foo.bar.com/", "foo.bar.com", True), ("http://foo.bar.com/", ".bar.com", True), + ("http://foo.bar.com/", "bar.com", True), ("http://foo.bar.com/", "com", True), ("http://foo.com/", "rhubarb.foo.com", False), ("http://foo.com/", ".foo.com", True), @@ -378,6 +379,8 @@ def test_domain_return_ok(self): ("http://foo/", "foo", True), ("http://foo/", "foo.local", True), ("http://foo/", ".local", True), + ("http://barfoo.com", ".foo.com", False), + ("http://barfoo.com", "foo.com", False), ]: request = urllib2.Request(url) r = pol.domain_return_ok(domain, request) @@ -938,6 +941,33 @@ def test_domain_block(self): c.add_cookie_header(req) self.assertFalse(req.has_header("Cookie")) + c.clear() + + pol.set_blocked_domains([]) + req = Request("http://acme.com/") + res = FakeResponse(headers, "http://acme.com/") + cookies = c.make_cookies(res, req) + c.extract_cookies(res, req) + self.assertEqual(len(c), 1) + + req = Request("http://acme.com/") + c.add_cookie_header(req) + self.assertTrue(req.has_header("Cookie")) + + req = Request("http://badacme.com/") + c.add_cookie_header(req) + self.assertFalse(pol.return_ok(cookies[0], req)) + self.assertFalse(req.has_header("Cookie")) + + p = pol.set_blocked_domains(["acme.com"]) + req = Request("http://acme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + + req = Request("http://badacme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + def test_secure(self): from cookielib import CookieJar, DefaultCookiePolicy From f16d63102d323836ccfff63f92c92f709f6cb6be Mon Sep 17 00:00:00 2001 From: Karthikeyan Singaravelan Date: Mon, 20 May 2019 00:35:26 +0530 Subject: [PATCH 2/2] Add NEWS entry --- .../next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst new file mode 100644 index 00000000000000..77251806163b35 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst @@ -0,0 +1,4 @@ +Don't send cookies of domain A without Domain attribute to domain B when +domain A is a suffix match of domain B while using a cookiejar with +:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan +Singaravelan. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy