bpo-35647: Fix path check in cookiejar (GH-11436) (GH-12268) · python/cpython@5565b1d (original) (raw)
3 files changed
lines changed
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -993,7 +993,7 @@ def set_ok_path(self, cookie, request): | ||
| 993 | 993 | req_path = request_path(request) |
| 994 | 994 | if ((cookie.version > 0 or |
| 995 | 995 | (cookie.version == 0 and self.strict_ns_set_path)) and |
| 996 | -not req_path.startswith(cookie.path)): | |
| 996 | +not self.path_return_ok(cookie.path, request)): | |
| 997 | 997 | _debug(" path attribute %s is not a prefix of request " |
| 998 | 998 | "path %s", cookie.path, req_path) |
| 999 | 999 | return False |
| @@ -1200,11 +1200,15 @@ def domain_return_ok(self, domain, request): | ||
| 1200 | 1200 | def path_return_ok(self, path, request): |
| 1201 | 1201 | _debug("- checking cookie path=%s", path) |
| 1202 | 1202 | req_path = request_path(request) |
| 1203 | -if not req_path.startswith(path): | |
| 1204 | -_debug(" %s does not path-match %s", req_path, path) | |
| 1205 | -return False | |
| 1206 | -return True | |
| 1203 | +pathlen = len(path) | |
| 1204 | +if req_path == path: | |
| 1205 | +return True | |
| 1206 | +elif (req_path.startswith(path) and | |
| 1207 | + (path.endswith("/") or req_path[pathlen:pathlen+1] == "/")): | |
| 1208 | +return True | |
| 1207 | 1209 | |
| 1210 | +_debug(" %s does not path-match %s", req_path, path) | |
| 1211 | +return False | |
| 1208 | 1212 | |
| 1209 | 1213 | def vals_sorted_by_key(adict): |
| 1210 | 1214 | keys = sorted(adict.keys()) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -695,6 +695,30 @@ def test_request_path(self): | ||
| 695 | 695 | req = urllib.request.Request("http://www.example.com") |
| 696 | 696 | self.assertEqual(request_path(req), "/") |
| 697 | 697 | |
| 698 | +def test_path_prefix_match(self): | |
| 699 | +pol = DefaultCookiePolicy() | |
| 700 | +strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True) | |
| 701 | + | |
| 702 | +c = CookieJar(pol) | |
| 703 | +base_url = "http://bar.com" | |
| 704 | +interact_netscape(c, base_url, 'spam=eggs; Path=/foo') | |
| 705 | +cookie = c._cookies['bar.com']['/foo']['spam'] | |
| 706 | + | |
| 707 | +for path, ok in [('/foo', True), | |
| 708 | + ('/foo/', True), | |
| 709 | + ('/foo/bar', True), | |
| 710 | + ('/', False), | |
| 711 | + ('/foobad/foo', False)]: | |
| 712 | +url = f'{base_url}{path}' | |
| 713 | +req = urllib.request.Request(url) | |
| 714 | +h = interact_netscape(c, url) | |
| 715 | +if ok: | |
| 716 | +self.assertIn('spam=eggs', h, f"cookie not set for {path}") | |
| 717 | +self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req)) | |
| 718 | +else: | |
| 719 | +self.assertNotIn('spam=eggs', h, f"cookie set for {path}") | |
| 720 | +self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req)) | |
| 721 | + | |
| 698 | 722 | def test_request_port(self): |
| 699 | 723 | req = urllib.request.Request("http://www.acme.com:1234/", |
| 700 | 724 | headers={"Host": "www.acme.com:4321"}) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| 1 | +Don't set cookie for a request when the request path is a prefix match of | |
| 2 | +the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan | |
| 3 | +Singaravelan. |