summaryrefslogtreecommitdiffstats
path: root/Lib/test/test_http_cookiejar.py
Commit message (Collapse)AuthorAgeFilesLines
* bpo-45229: Make test_http_cookiejar discoverable (GH-29004)Serhiy Storchaka2021-10-171-10/+1
|
* bpo-38976: Add support for HTTP Only flag in MozillaCookieJar (#17471)Jacob Neil Taylor2020-10-231-0/+5
| | | | | Add support for HTTP Only flag in MozillaCookieJar Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
* bpo-40275: Use new test.support helper submodules in tests (GH-21743)Hai Shi2020-08-061-8/+10
|
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157)bcaller2019-11-221-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
* bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies ↵Xtreak2019-09-131-0/+9
| | | | | | | | | | | | | | (GH-13921) Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called. Co-authored-by: Demian Brecht <demianbrecht@gmail.com> https://bugs.python.org/issue12144 Automerge-Triggered-By: @asvetlov
* bpo-35647: Fix path check in cookiejar (#11436)Xtreak2019-03-101-0/+24
| | | | | | | | | | | | * Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter
* bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258)Xtreak2019-03-101-0/+30
| | | Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
* bpo-36043: FileCookieJar supports os.PathLike (GH-11945)Stéphane Wirtel2019-03-011-0/+25
| | | https://bugs.python.org/issue36043
* bpo-35133: Fix mistakes when concatenate string literals on different lines. ↵Serhiy Storchaka2018-11-051-4/+2
| | | | | | | | | | (GH-10284) Two kind of mistakes: 1. Missed space. After concatenating there is no space between words. 2. Missed comma. Causes unintentional concatenating in a list of strings.
* bpo-34911: Added support for secure websocket cookies (GH-9734)Paul Bailey2018-10-081-0/+55
|
* #27364: fix "incorrect" uses of escape character in the stdlib.R David Murray2016-09-081-3/+3
| | | | | | | And most of the tools. Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and Martin Panter.
* Issue #27626: Spelling fixes in docs, comments and internal namesMartin Panter2016-07-281-1/+1
| | | | Based on patch by Ville Skyttä.
* Issue #27466: Change time format returned by http.cookie.time2netscape,Senthil Kumaran2016-07-101-0/+22
| | | | confirming the netscape cookie format.
* Issue #27076: Doc, comment and tests spelling fixesMartin Panter2016-05-261-1/+1
| | | | Most fixes to Doc/ and Lib/ directories by Ville Skyttä.
* Issue #16181: cookiejar.http2time() now returns None if year is higher than ↵Berker Peksag2016-03-141-0/+4
| | | | datetime.MAXYEAR
* Issue #23888: Handle fractional time in cookie expiry. Patch by ssh.Robert Collins2015-08-031-0/+9
|
* Issue #23138: Fixed parsing cookies with absent keys or values in cookiejar.Serhiy Storchaka2015-03-131-0/+23
| | | | Patch by Demian Brecht.
* Issue #19606: Use specific asserts in http.cookiejar tests.Serhiy Storchaka2013-11-171-84/+73
|
* #18466: fix more typos. Patch by Févry Thibault.Ezio Melotti2013-08-171-1/+1
|
* #18484: improve test coverage of http.cookiejar. Patch by Vajrasky Kok.Ezio Melotti2013-08-101-6/+67
|
* #18483: add one more date format in test_http2time_formats. Patch by ↵Ezio Melotti2013-08-101-0/+2
| | | | Vajrasky Kok.
* PEP 3151 / issue #12555: reworking the OS and IO exception hierarchy.Antoine Pitrou2011-10-121-5/+6
|
* this should be an identity testBenjamin Peterson2011-07-141-1/+1
|
* #9424: Replace deprecated assert* methods in the Python test suite.Ezio Melotti2010-11-201-133/+133
|
* Fix file closing in test_http_cookiejar.Brett Cannon2010-10-291-5/+5
|
* Fixes Issue #3704: http.cookiejar was not properly handling URLs with a / inGregory P. Smith2010-07-191-26/+38
| | | | the parameters. (This is jjlee's issue3704.patch ported to py3k)
* Merged revisions 81465-81466,81468,81679,81735,81760,81868,82183 via ↵Benjamin Peterson2010-06-271-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | svnmerge from svn+ssh://pythondev@svn.python.org/python/trunk ........ r81465 | georg.brandl | 2010-05-22 06:29:19 -0500 (Sat, 22 May 2010) | 2 lines Issue #3924: Ignore cookies with invalid "version" field in cookielib. ........ r81466 | georg.brandl | 2010-05-22 06:31:16 -0500 (Sat, 22 May 2010) | 1 line Underscore the name of an internal utility function. ........ r81468 | georg.brandl | 2010-05-22 06:43:25 -0500 (Sat, 22 May 2010) | 1 line #8635: document enumerate() start parameter in docstring. ........ r81679 | benjamin.peterson | 2010-06-03 16:21:03 -0500 (Thu, 03 Jun 2010) | 1 line use a set for membership testing ........ r81735 | michael.foord | 2010-06-05 06:46:59 -0500 (Sat, 05 Jun 2010) | 1 line Extract error message truncating into a method (unittest.TestCase._truncateMessage). ........ r81760 | michael.foord | 2010-06-05 14:38:42 -0500 (Sat, 05 Jun 2010) | 1 line Issue 8302. SkipTest exception is setUpClass or setUpModule is now reported as a skip rather than an error. ........ r81868 | benjamin.peterson | 2010-06-09 14:45:04 -0500 (Wed, 09 Jun 2010) | 1 line fix code formatting ........ r82183 | benjamin.peterson | 2010-06-23 15:29:26 -0500 (Wed, 23 Jun 2010) | 1 line cpython only gc tests ........
* use assert[Not]In where appropriateEzio Melotti2010-01-231-19/+17
|
* use assert[Not]In where appropriateBenjamin Peterson2010-01-191-26/+28
| | | | A patch from Dave Malcolm.
* convert old fail* assertions to assert*Benjamin Peterson2009-06-301-110/+110
|
* Simplify the Request class. The basic components of the parsedJeremy Hylton2009-03-311-5/+0
| | | | | | | | | | | | Request are now available as public attributes, e.g. full_url and host. The accessor methods are deprecated. The implementation replace the complicated __getattr__ machinery with a _parse() method. The response from an HTTP request is now an HTTPResponse instance instead of an addinfourl() wrapper instance. The wrapper provided minimal extract functionality and was undocumented. The API of addinfourl() was preserved, except for close hooks, by adding a few methods and public attributes to the HTTPResponse class.
* - Issue #3300: make urllib.parse.[un]quote() default to UTF-8.Guido van Rossum2008-08-181-1/+4
| | | | | | | | Code contributed by Matt Giuca. quote() now encodes the input before quoting, unquote() decodes after unquoting. There are new arguments to change the encoding and errors settings. There are also new APIs to skip the encode/decode steps. [un]quote_plus() are also affected.
* Make a new urllib package .Jeremy Hylton2008-06-181-45/+47
| | | | | | | | | | | | | It consists of code from urllib, urllib2, urlparse, and robotparser. The old modules have all been removed. The new package has five submodules: urllib.parse, urllib.request, urllib.response, urllib.error, and urllib.robotparser. The urllib.request.urlopen() function uses the url opener from urllib2. Note that the unittests have not been renamed for the beta, but they will be renamed in the future. Joint work with Senthil Kumaran.
* Patch for issue 2848, mostly by Humberto Diogenes, with a couple ofBarry Warsaw2008-06-121-3/+2
| | | | small fixes by Barry. This removes mimetools from the stdlib.
* Create http package. #2883.Georg Brandl2008-05-261-0/+1637