[New-bugs-announce] [issue42766] urllib.request.HTTPPasswordMgr uses commonprefix instead of commonpath

Donát Nagy report at bugs.python.org
Mon Dec 28 10:42:33 EST 2020

New submission from Donát Nagy <m1nagdon at gmail.com>:

The is_suburi(self, base, test) method of HTTPPasswordMgr in the urllib.request module tries to "Check if test is below base in a URI tree", but it uses the posixpath.commonprefix() function. This is problematic because commonprefix ignores the path structure (for example commonprefix(['/usr/lib', '/usr/local/lib'])=='/usr/l') and therefore the current implementation of is_suburi is essentially equivalent to calling str.startswith after some normalization steps.

If we want to say that example.com/resource101 is *NOT* below example.com/resource1 in a URI tree, then the call to commonprefix should be replaced by a call to posixpath.commonpath(), which does the right thing.

components: Library (Lib)
messages: 383898
nosy: nagdon
priority: normal
severity: normal
status: open
title: urllib.request.HTTPPasswordMgr uses commonprefix instead of commonpath
type: behavior
versions: Python 3.10

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list