[Python-checkins] bpo-35647: Fix path check in cookiejar (#11436)
Senthil Kumaran
webhook-mailer at python.org
Sun Mar 10 13:12:41 EDT 2019
https://github.com/python/cpython/commit/0e1f1f01058bd4a9b98cfe443214adecc019a38c
commit: 0e1f1f01058bd4a9b98cfe443214adecc019a38c
branch: master
author: Xtreak <tir.karthi at gmail.com>
committer: Senthil Kumaran <skumaran at gatech.edu>
date: 2019-03-10T10:12:28-07:00
summary:
bpo-35647: Fix path check in cookiejar (#11436)
* Refactor cookie path check as per RFC 6265
* Add tests for prefix match of path
* Add news entry
* Fix set_ok_path and refactor tests
* Use slice for last letter
files:
A Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst
M Lib/http/cookiejar.py
M Lib/test/test_http_cookiejar.py
diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
index 3a96383325ca..db8238235718 100644
--- a/Lib/http/cookiejar.py
+++ b/Lib/http/cookiejar.py
@@ -993,7 +993,7 @@ def set_ok_path(self, cookie, request):
req_path = request_path(request)
if ((cookie.version > 0 or
(cookie.version == 0 and self.strict_ns_set_path)) and
- not req_path.startswith(cookie.path)):
+ not self.path_return_ok(cookie.path, request)):
_debug(" path attribute %s is not a prefix of request "
"path %s", cookie.path, req_path)
return False
@@ -1200,11 +1200,15 @@ def domain_return_ok(self, domain, request):
def path_return_ok(self, path, request):
_debug("- checking cookie path=%s", path)
req_path = request_path(request)
- if not req_path.startswith(path):
- _debug(" %s does not path-match %s", req_path, path)
- return False
- return True
+ pathlen = len(path)
+ if req_path == path:
+ return True
+ elif (req_path.startswith(path) and
+ (path.endswith("/") or req_path[pathlen:pathlen+1] == "/")):
+ return True
+ _debug(" %s does not path-match %s", req_path, path)
+ return False
def vals_sorted_by_key(adict):
keys = sorted(adict.keys())
diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
index acf315a4f2e0..22bf41cf1d91 100644
--- a/Lib/test/test_http_cookiejar.py
+++ b/Lib/test/test_http_cookiejar.py
@@ -720,6 +720,30 @@ def test_request_path(self):
req = urllib.request.Request("http://www.example.com")
self.assertEqual(request_path(req), "/")
+ def test_path_prefix_match(self):
+ pol = DefaultCookiePolicy()
+ strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True)
+
+ c = CookieJar(pol)
+ base_url = "http://bar.com"
+ interact_netscape(c, base_url, 'spam=eggs; Path=/foo')
+ cookie = c._cookies['bar.com']['/foo']['spam']
+
+ for path, ok in [('/foo', True),
+ ('/foo/', True),
+ ('/foo/bar', True),
+ ('/', False),
+ ('/foobad/foo', False)]:
+ url = f'{base_url}{path}'
+ req = urllib.request.Request(url)
+ h = interact_netscape(c, url)
+ if ok:
+ self.assertIn('spam=eggs', h, f"cookie not set for {path}")
+ self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req))
+ else:
+ self.assertNotIn('spam=eggs', h, f"cookie set for {path}")
+ self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req))
+
def test_request_port(self):
req = urllib.request.Request("http://www.acme.com:1234/",
headers={"Host": "www.acme.com:4321"})
diff --git a/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst
new file mode 100644
index 000000000000..032e1e2c00bc
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst
@@ -0,0 +1,3 @@
+Don't set cookie for a request when the request path is a prefix match of
+the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan
+Singaravelan.
More information about the Python-checkins
mailing list