diff options
| author | Xtreak <tir.karthi@gmail.com> | 2019-03-16 23:42:11 (GMT) |
|---|---|---|
| committer | larryhastings <larry@hastings.org> | 2019-03-16 23:42:11 (GMT) |
| commit | 382981b25092b5e9285f1e4894142af1e8f2ca86 (patch) | |
| tree | eedf2d201585d5442ebaca5c80756d77403e0b8a | |
| parent | c0d95113b070799679bcb9dc49d4960d82e8bb08 (diff) | |
| download | cpython-382981b25092b5e9285f1e4894142af1e8f2ca86.zip cpython-382981b25092b5e9285f1e4894142af1e8f2ca86.tar.gz cpython-382981b25092b5e9285f1e4894142af1e8f2ca86.tar.bz2 | |
bpo-35647: Fix path check in cookiejar (#11436) (#12277)
* Refactor cookie path check as per RFC 6265
* Add tests for prefix match of path
* Add news entry
* Fix set_ok_path and refactor tests
* Use slice for last letter
(cherry picked from commit 0e1f1f01058bd4a9b98cfe443214adecc019a38c)
| -rw-r--r-- | Lib/http/cookiejar.py | 14 | ||||
| -rw-r--r-- | Lib/test/test_http_cookiejar.py | 26 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst | 3 |
3 files changed, 38 insertions, 5 deletions
diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index 6d4572a..f800b56 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -993,7 +993,7 @@ class DefaultCookiePolicy(CookiePolicy): req_path = request_path(request) if ((cookie.version > 0 or (cookie.version == 0 and self.strict_ns_set_path)) and - not req_path.startswith(cookie.path)): + not self.path_return_ok(cookie.path, request)): _debug(" path attribute %s is not a prefix of request " "path %s", cookie.path, req_path) return False @@ -1191,11 +1191,15 @@ class DefaultCookiePolicy(CookiePolicy): def path_return_ok(self, path, request): _debug("- checking cookie path=%s", path) req_path = request_path(request) - if not req_path.startswith(path): - _debug(" %s does not path-match %s", req_path, path) - return False - return True + pathlen = len(path) + if req_path == path: + return True + elif (req_path.startswith(path) and + (path.endswith("/") or req_path[pathlen:pathlen+1] == "/")): + return True + _debug(" %s does not path-match %s", req_path, path) + return False def vals_sorted_by_key(adict): keys = sorted(adict.keys()) diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index 49c01ae..9345c25 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -694,6 +694,32 @@ class CookieTests(unittest.TestCase): req = urllib.request.Request("http://www.example.com") self.assertEqual(request_path(req), "/") + def test_path_prefix_match(self): + pol = DefaultCookiePolicy() + strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True) + + c = CookieJar(pol) + base_url = "http://bar.com" + interact_netscape(c, base_url, 'spam=eggs; Path=/foo') + cookie = c._cookies['bar.com']['/foo']['spam'] + + for path, ok in [('/foo', True), + ('/foo/', True), + ('/foo/bar', True), + ('/', False), + ('/foobad/foo', False)]: + url = '{0}{1}'.format(base_url, path) + req = urllib.request.Request(url) + h = interact_netscape(c, url) + if ok: + self.assertIn('spam=eggs', h, + "cookie not set for {0}".format(path)) + self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req)) + else: + self.assertNotIn('spam=eggs', h, + "cookie set for {0}".format(path)) + self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req)) + def test_request_port(self): req = urllib.request.Request("http://www.acme.com:1234/", headers={"Host": "www.acme.com:4321"}) diff --git a/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst new file mode 100644 index 0000000..032e1e2 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst @@ -0,0 +1,3 @@ +Don't set cookie for a request when the request path is a prefix match of +the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan +Singaravelan. |