This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author xtreak
Recipients Windson Yang, benjamin.peterson, larry, lukasz.langa, martin.panter, ned.deily, orsenthil, serhiy.storchaka, xtreak, 西田雄治
Date 2019-03-10.09:16:38
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
There are many libraries that use DefaultCookiePolicy and requests library uses it for client where session state needs to be maintained across different requests. Currently, requests doesn't have a documented API to change to cookiejar policy and were not keen on introducing a custom one since this might introduce maintenance burden over keeping it in sync with other changes when made upstream. The team have been informed about this when the issue was created and I also updated the maintainers now about the fix being merged since it's a highly popular library. 

So requests will remain affected when ran on versions where this patch is not available in CPython standard library as of now. A potentially simple workaround in the absence of patch on affected versions is to set DomainStrict in the cookiepolicy that would make sure a literal match against domain is made at [0] . The disadvantage I guess would be that cookie set on would not be shared with subdomain which might break workflow. aio-http was not affected since it uses custom cookiejar policy. scrapy also seems to be not affected since they custom policies. Most of the web frameworks don't recommend setting domain explicitly and set them implicitly so it can be reproduced in the default setup of frameworks and Flask was the one I tested which makes me assume this could be easily exploited.

Date User Action Args
2019-03-10 09:16:39xtreaksetrecipients: + xtreak, orsenthil, larry, benjamin.peterson, ned.deily, lukasz.langa, martin.panter, serhiy.storchaka, Windson Yang, 西田雄治
2019-03-10 09:16:39xtreaksetmessageid: <>
2019-03-10 09:16:39xtreaklinkissue35121 messages
2019-03-10 09:16:38xtreakcreate