[New-bugs-announce] [issue42766] urllib.request.HTTPPasswordMgr uses commonprefix instead of commonpath
report at bugs.python.org
Mon Dec 28 10:42:33 EST 2020
New submission from Donát Nagy <m1nagdon at gmail.com>:
The is_suburi(self, base, test) method of HTTPPasswordMgr in the urllib.request module tries to "Check if test is below base in a URI tree", but it uses the posixpath.commonprefix() function. This is problematic because commonprefix ignores the path structure (for example commonprefix(['/usr/lib', '/usr/local/lib'])=='/usr/l') and therefore the current implementation of is_suburi is essentially equivalent to calling str.startswith after some normalization steps.
If we want to say that example.com/resource101 is *NOT* below example.com/resource1 in a URI tree, then the call to commonprefix should be replaced by a call to posixpath.commonpath(), which does the right thing.
components: Library (Lib)
title: urllib.request.HTTPPasswordMgr uses commonprefix instead of commonpath
versions: Python 3.10
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce