|
@ -0,0 +1,123 @@ |
|
|
|
|
|
From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: Xtreak <tir.karthi@gmail.com> |
|
|
|
|
|
Date: Sat, 15 Jun 2019 20:59:43 +0530 |
|
|
|
|
|
Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain |
|
|
|
|
|
validation (GH-10258) (GH-13426) |
|
|
|
|
|
|
|
|
|
|
|
This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
https://bugs.python.org/issue35121 |
|
|
|
|
|
---
|
|
|
|
|
|
Lib/cookielib.py | 13 ++++++-- |
|
|
|
|
|
Lib/test/test_cookielib.py | 30 +++++++++++++++++++ |
|
|
|
|
|
.../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++ |
|
|
|
|
|
3 files changed, 45 insertions(+), 2 deletions(-) |
|
|
|
|
|
create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Lib/cookielib.py b/Lib/cookielib.py
|
|
|
|
|
|
index 2dd7c48728..0b471a42f2 100644
|
|
|
|
|
|
--- a/Lib/cookielib.py
|
|
|
|
|
|
+++ b/Lib/cookielib.py
|
|
|
|
|
|
@@ -1139,6 +1139,11 @@ class DefaultCookiePolicy(CookiePolicy):
|
|
|
|
|
|
req_host, erhn = eff_request_host(request) |
|
|
|
|
|
domain = cookie.domain |
|
|
|
|
|
|
|
|
|
|
|
+ if domain and not domain.startswith("."):
|
|
|
|
|
|
+ dotdomain = "." + domain
|
|
|
|
|
|
+ else:
|
|
|
|
|
|
+ dotdomain = domain
|
|
|
|
|
|
+
|
|
|
|
|
|
# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't |
|
|
|
|
|
if (cookie.version == 0 and |
|
|
|
|
|
(self.strict_ns_domain & self.DomainStrictNonDomain) and |
|
|
|
|
|
@@ -1151,7 +1156,7 @@ class DefaultCookiePolicy(CookiePolicy):
|
|
|
|
|
|
_debug(" effective request-host name %s does not domain-match " |
|
|
|
|
|
"RFC 2965 cookie domain %s", erhn, domain) |
|
|
|
|
|
return False |
|
|
|
|
|
- if cookie.version == 0 and not ("."+erhn).endswith(domain):
|
|
|
|
|
|
+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
|
|
|
|
|
|
_debug(" request-host %s does not match Netscape cookie domain " |
|
|
|
|
|
"%s", req_host, domain) |
|
|
|
|
|
return False |
|
|
|
|
|
@@ -1165,7 +1170,11 @@ class DefaultCookiePolicy(CookiePolicy):
|
|
|
|
|
|
req_host = "."+req_host |
|
|
|
|
|
if not erhn.startswith("."): |
|
|
|
|
|
erhn = "."+erhn |
|
|
|
|
|
- if not (req_host.endswith(domain) or erhn.endswith(domain)):
|
|
|
|
|
|
+ if domain and not domain.startswith("."):
|
|
|
|
|
|
+ dotdomain = "." + domain
|
|
|
|
|
|
+ else:
|
|
|
|
|
|
+ dotdomain = domain
|
|
|
|
|
|
+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
|
|
|
|
|
|
#_debug(" request domain %s does not match cookie domain %s", |
|
|
|
|
|
# req_host, domain) |
|
|
|
|
|
return False |
|
|
|
|
|
diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
|
|
|
|
|
|
index f2dd9727d1..7f7ff614d6 100644
|
|
|
|
|
|
--- a/Lib/test/test_cookielib.py
|
|
|
|
|
|
+++ b/Lib/test/test_cookielib.py
|
|
|
|
|
|
@@ -368,6 +368,7 @@ class CookieTests(TestCase):
|
|
|
|
|
|
("http://foo.bar.com/", ".foo.bar.com", True), |
|
|
|
|
|
("http://foo.bar.com/", "foo.bar.com", True), |
|
|
|
|
|
("http://foo.bar.com/", ".bar.com", True), |
|
|
|
|
|
+ ("http://foo.bar.com/", "bar.com", True),
|
|
|
|
|
|
("http://foo.bar.com/", "com", True), |
|
|
|
|
|
("http://foo.com/", "rhubarb.foo.com", False), |
|
|
|
|
|
("http://foo.com/", ".foo.com", True), |
|
|
|
|
|
@@ -378,6 +379,8 @@ class CookieTests(TestCase):
|
|
|
|
|
|
("http://foo/", "foo", True), |
|
|
|
|
|
("http://foo/", "foo.local", True), |
|
|
|
|
|
("http://foo/", ".local", True), |
|
|
|
|
|
+ ("http://barfoo.com", ".foo.com", False),
|
|
|
|
|
|
+ ("http://barfoo.com", "foo.com", False),
|
|
|
|
|
|
]: |
|
|
|
|
|
request = urllib2.Request(url) |
|
|
|
|
|
r = pol.domain_return_ok(domain, request) |
|
|
|
|
|
@@ -938,6 +941,33 @@ class CookieTests(TestCase):
|
|
|
|
|
|
c.add_cookie_header(req) |
|
|
|
|
|
self.assertFalse(req.has_header("Cookie")) |
|
|
|
|
|
|
|
|
|
|
|
+ c.clear()
|
|
|
|
|
|
+
|
|
|
|
|
|
+ pol.set_blocked_domains([])
|
|
|
|
|
|
+ req = Request("http://acme.com/")
|
|
|
|
|
|
+ res = FakeResponse(headers, "http://acme.com/")
|
|
|
|
|
|
+ cookies = c.make_cookies(res, req)
|
|
|
|
|
|
+ c.extract_cookies(res, req)
|
|
|
|
|
|
+ self.assertEqual(len(c), 1)
|
|
|
|
|
|
+
|
|
|
|
|
|
+ req = Request("http://acme.com/")
|
|
|
|
|
|
+ c.add_cookie_header(req)
|
|
|
|
|
|
+ self.assertTrue(req.has_header("Cookie"))
|
|
|
|
|
|
+
|
|
|
|
|
|
+ req = Request("http://badacme.com/")
|
|
|
|
|
|
+ c.add_cookie_header(req)
|
|
|
|
|
|
+ self.assertFalse(pol.return_ok(cookies[0], req))
|
|
|
|
|
|
+ self.assertFalse(req.has_header("Cookie"))
|
|
|
|
|
|
+
|
|
|
|
|
|
+ p = pol.set_blocked_domains(["acme.com"])
|
|
|
|
|
|
+ req = Request("http://acme.com/")
|
|
|
|
|
|
+ c.add_cookie_header(req)
|
|
|
|
|
|
+ self.assertFalse(req.has_header("Cookie"))
|
|
|
|
|
|
+
|
|
|
|
|
|
+ req = Request("http://badacme.com/")
|
|
|
|
|
|
+ c.add_cookie_header(req)
|
|
|
|
|
|
+ self.assertFalse(req.has_header("Cookie"))
|
|
|
|
|
|
+
|
|
|
|
|
|
def test_secure(self): |
|
|
|
|
|
from cookielib import CookieJar, DefaultCookiePolicy |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
|
|
|
|
|
|
new file mode 100644 |
|
|
|
|
|
index 0000000000..7725180616
|
|
|
|
|
|
--- /dev/null
|
|
|
|
|
|
+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
|
|
|
|
|
|
@@ -0,0 +1,4 @@
|
|
|
|
|
|
+Don't send cookies of domain A without Domain attribute to domain B when
|
|
|
|
|
|
+domain A is a suffix match of domain B while using a cookiejar with
|
|
|
|
|
|
+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
|
|
|
|
|
|
+Singaravelan.
|
|
|
|
|
|
--
|
|
|
|
|
|
2.20.1 |
|
|
|
|
|
|