Message 328975 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	xtreak
Recipients	xtreak, 西田雄治
Date	2018-10-31.08:15:02
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1540973702.19.0.788709270274.issue35121@psf.upfronthosting.co.za>
In-reply-to

Content
The current set of tests are at https://github.com/python/cpython/blob/0353b4eaaf451ad463ce7eb3074f6b62d332f401/Lib/test/test_http_cookiejar.py#L406 . A simple set of tuple that can be added based on the report as below : ("http://barfoo.com", ".foo.com", False) ("http://barfoo.com", "foo.com", False) # Fails on master The check is done at https://github.com/python/cpython/blob/0353b4eaaf451ad463ce7eb3074f6b62d332f401/Lib/http/cookiejar.py#L1176 . There is no check to add '.' before domain if absent. Hence it performs a substring match with the values req_host = ".barfoo.com" and erhn = ".barfoo.com" and domain = "foo.com" so the condition `not (req_host.endswith(domain) or erhn.endswith(domain))` fails and doesn't return False. I would suggest adding a check to make sure domain also starts with '.' similar to req_host and erhn thus fixing the issue. I tried the fix and existing tests along with the reported case works fine. diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index 0ba8200f32..da7462701b 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -1173,6 +1173,8 @@ class DefaultCookiePolicy(CookiePolicy): req_host = "."+req_host if not erhn.startswith("."): erhn = "."+erhn + if not domain.startswith("."): + domain = "."+domain if not (req_host.endswith(domain) or erhn.endswith(domain)): #_debug(" request domain %s does not match cookie domain %s", # req_host, domain) ("http://barfoo.com", ".foo.com", False) ("http://barfoo.com", "foo.com", False) # Tests pass with fix Also tried the script attached in the report $ cat ../backups/bpo35121.py import urllib from http.cookiejar import DefaultCookiePolicy policy = DefaultCookiePolicy() req = urllib.request.Request('https://xxxfoo.co.jp/') print(policy.domain_return_ok('foo.co.jp', req)) # without fix $ ./python.exe ../backups/bpo35121.py True # With domain fix $ ./python.exe ../backups/bpo35121.py False The check was added in 2004 with commit 2a6ba9097ee3942ae328befaf074ce9722b93ca0 . If my fix is correct I am willing to raise a PR for this with test. Hope it helps!

The current set of tests are at https://github.com/python/cpython/blob/0353b4eaaf451ad463ce7eb3074f6b62d332f401/Lib/test/test_http_cookiejar.py#L406 . A simple set of tuple that can be added based on the report as below : 

("http://barfoo.com", ".foo.com", False)
("http://barfoo.com", "foo.com", False) # Fails on master

The check is done at https://github.com/python/cpython/blob/0353b4eaaf451ad463ce7eb3074f6b62d332f401/Lib/http/cookiejar.py#L1176 . There is no check to add '.' before domain if absent. Hence it performs a substring match with the values req_host = ".barfoo.com" and erhn = ".barfoo.com" and domain = "foo.com" so the condition `not (req_host.endswith(domain) or erhn.endswith(domain))` fails and doesn't return False. I would suggest adding a check to make sure domain also starts with '.' similar to req_host and erhn thus fixing the issue. I tried the fix and existing tests along with the reported case works fine.

diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
index 0ba8200f32..da7462701b 100644
--- a/Lib/http/cookiejar.py
+++ b/Lib/http/cookiejar.py
@@ -1173,6 +1173,8 @@ class DefaultCookiePolicy(CookiePolicy):
             req_host = "."+req_host
         if not erhn.startswith("."):
             erhn = "."+erhn
+        if not domain.startswith("."):
+            domain = "."+domain
         if not (req_host.endswith(domain) or erhn.endswith(domain)):
             #_debug("   request domain %s does not match cookie domain %s",
             #       req_host, domain)

("http://barfoo.com", ".foo.com", False)
("http://barfoo.com", "foo.com", False) # Tests pass with fix

Also tried the script attached in the report

$ cat ../backups/bpo35121.py

import urllib
from http.cookiejar import DefaultCookiePolicy

policy = DefaultCookiePolicy()
req = urllib.request.Request('https://xxxfoo.co.jp/')
print(policy.domain_return_ok('foo.co.jp', req))

# without fix

$ ./python.exe ../backups/bpo35121.py
True

# With domain fix

$ ./python.exe ../backups/bpo35121.py
False

The check was added in 2004 with commit 2a6ba9097ee3942ae328befaf074ce9722b93ca0 . If my fix is correct I am willing to raise a PR for this with test.

Hope it helps!

History
Date	User	Action	Args
2018-10-31 08:15:02	xtreak	set	recipients: + xtreak, 西田雄治
2018-10-31 08:15:02	xtreak	set	messageid: <1540973702.19.0.788709270274.issue35121@psf.upfronthosting.co.za>
2018-10-31 08:15:02	xtreak	link	issue35121 messages
2018-10-31 08:15:02	xtreak	create