[issue35647] Cookie path check returns incorrect results
Karthikeyan Singaravelan
report at bugs.python.org
Sun Mar 10 14:37:35 EDT 2019
Karthikeyan Singaravelan <tir.karthi at gmail.com> added the comment:
The backport to 3.5 might require manual work since I used f-strings for tests that are not present in 3.5 and below. 2.7 is also affected and as I backported the tests and cookie set with path=/foo is sent on request to /foobad/foo . The module is present under Lib/cookielb.py and might also require a different backport. Since this applies RFC 6265 definition that is more stricter and concrete than RFC 2965 I am not sure if this might break someone's code though there is a bug in the paths to which the cookie is sent. I am adding Larry and Benjamin who can take a call on backport and if a backport is needed I will be happy to open respective PRs.
The code in 2.7 also performs the same prefix match at https://github.com/python/cpython/blob/55438d713978a1913ef12c8a801848626228aad6/Lib/cookielib.py#L1182 that was fixed as per RFC 6265 .
def path_return_ok(self, path, request):
_debug("- checking cookie path=%s", path)
req_path = request_path(request)
if not req_path.startswith(path):
_debug(" %s does not path-match %s", req_path, path)
return False
return True
$ ./python.exe
Python 2.7.16+ (remotes/upstream/2.7-dirty:55438d7139, Mar 10 2019, 23:35:15)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>>
$ ./python.exe -m unittest -v test.test_cookielib.CookieTests.test_path_prefix_match
test_path_prefix_match (test.test_cookielib.CookieTests) ... FAIL
======================================================================
FAIL: test_path_prefix_match (test.test_cookielib.CookieTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/karthikeyansingaravelan/stuff/python/cpython/Lib/test/test_cookielib.py", line 673, in test_path_prefix_match
self.assertNotIn('spam=eggs', h, "cookie set for {0}".format(path))
AssertionError: cookie set for /foobad/foo
----------------------------------------------------------------------
Ran 1 test in 0.010s
FAILED (failures=1)
----------
nosy: +benjamin.peterson, larry
versions: +Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35647>
_______________________________________
More information about the Python-bugs-list
mailing list