This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: urllib.request.HTTPPasswordMgr uses commonprefix instead of commonpath
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.10
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Incorrect authorization check in urllib.request
View: 46756
Assigned To: Nosy List: Fongeme, nagdon, orsenthil, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2020-12-28 15:42 by nagdon, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 24181 closed Fongeme, 2021-01-09 20:31
Messages (2)
msg383898 - (view) Author: Donát Nagy (nagdon) Date: 2020-12-28 15:42
The is_suburi(self, base, test) method of HTTPPasswordMgr in the urllib.request module tries to "Check if test is below base in a URI tree", but it uses the posixpath.commonprefix() function. This is problematic because commonprefix ignores the path structure (for example commonprefix(['/usr/lib', '/usr/local/lib'])=='/usr/l') and therefore the current implementation of is_suburi is essentially equivalent to calling str.startswith after some normalization steps.

If we want to say that example.com/resource101 is *NOT* below example.com/resource1 in a URI tree, then the call to commonprefix should be replaced by a call to posixpath.commonpath(), which does the right thing.
msg413986 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2022-02-25 12:00
Sorry I did not notice this issue. It is now solved in issue46756.

In any case thank you for the report and the PR.
History
Date User Action Args
2022-04-11 14:59:39adminsetgithub: 86932
2022-02-25 12:00:31serhiy.storchakasetstatus: open -> closed

superseder: Incorrect authorization check in urllib.request

nosy: + serhiy.storchaka
messages: + msg413986
resolution: duplicate
stage: patch review -> resolved
2021-07-06 21:38:32terry.reedysetnosy: + orsenthil
2021-01-09 20:31:09Fongemesetkeywords: + patch
nosy: + Fongeme

pull_requests: + pull_request23007
stage: patch review
2020-12-28 15:42:33nagdoncreate