Message337601
There are many libraries that use DefaultCookiePolicy and requests library uses it for client where session state needs to be maintained across different requests. Currently, requests doesn't have a documented API to change to cookiejar policy and were not keen on introducing a custom one since this might introduce maintenance burden over keeping it in sync with other changes when made upstream. The team have been informed about this when the issue was created and I also updated the maintainers now about the fix being merged since it's a highly popular library.
So requests will remain affected when ran on versions where this patch is not available in CPython standard library as of now. A potentially simple workaround in the absence of patch on affected versions is to set DomainStrict in the cookiepolicy that would make sure a literal match against domain is made at [0] . The disadvantage I guess would be that cookie set on example.com would not be shared with subdomain which might break workflow. aio-http was not affected since it uses custom cookiejar policy. scrapy also seems to be not affected since they custom policies. Most of the web frameworks don't recommend setting domain explicitly and set them implicitly so it can be reproduced in the default setup of frameworks and Flask was the one I tested which makes me assume this could be easily exploited.
[0] https://github.com/python/cpython/blob/ca7fe5063593958e5efdf90f068582837f07bd14/Lib/http/cookiejar.py#L1158 |
|
Date |
User |
Action |
Args |
2019-03-10 09:16:39 | xtreak | set | recipients:
+ xtreak, orsenthil, larry, benjamin.peterson, ned.deily, lukasz.langa, martin.panter, serhiy.storchaka, Windson Yang, 西田雄治 |
2019-03-10 09:16:39 | xtreak | set | messageid: <1552209399.2.0.068086790489.issue35121@roundup.psfhosted.org> |
2019-03-10 09:16:39 | xtreak | link | issue35121 messages |
2019-03-10 09:16:38 | xtreak | create | |
|