.. _cookie-path-check:

http.cookiejar: Incorrect validation of path
============================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

Cookies of ``example.com`` with ``path=/any`` were sent to
``example.com/anybad/`` while using a cookiejar with
`http.cookiejar.DefaultCookiePolicy` policy. The code did not check for
the first non-matching character in prefix match to be a slash.

Dates:

* Disclosure date: **2019-01-03** (Python issue bpo-35647 reported)

Fixed In
--------

* Python **2.7.17** (2019-10-19) fixed by `commit ee15aa2 (branch 2.7) <https://github.com/python/cpython/commit/ee15aa2b8501718cb77e339381f72409a416f801>`_ (2019-06-15)
* Python **3.4.10** (2019-03-18) fixed by `commit e260f09 (branch 3.5) <https://github.com/python/cpython/commit/e260f092cd0d8975c777e73ca6fb549d59b5d452>`_ (2019-03-16)
* Python **3.5.7** (2019-03-18) fixed by `commit 382981b (branch 3.4) <https://github.com/python/cpython/commit/382981b25092b5e9285f1e4894142af1e8f2ca86>`_ (2019-03-16)
* Python **3.6.9** (2019-07-02) fixed by `commit 5565b1d (branch 3.6) <https://github.com/python/cpython/commit/5565b1db6f37f244890369e0d68a3e906aca28b9>`_ (2019-03-12)
* Python **3.7.3** (2019-03-25) fixed by `commit 97c7d78 (branch 3.7) <https://github.com/python/cpython/commit/97c7d78fda49e03fc773c171ce0c736d02bb73f5>`_ (2019-03-10)
* Python **3.8.0** (2019-10-14) fixed by `commit 0e1f1f0 (branch 3.8) <https://github.com/python/cpython/commit/0e1f1f01058bd4a9b98cfe443214adecc019a38c>`_ (2019-03-10)

Python issue
------------

Cookie path check returns incorrect results.

* Python issue: `bpo-35647 <https://bugs.python.org/issue35647>`_
* Creation date: 2019-01-03
* Reporter: Karthikeyan Singaravelan

Timeline
--------

Timeline using the disclosure date **2019-01-03** as reference:

* 2019-01-03: `Python issue bpo-35647 <https://bugs.python.org/issue35647>`_ reported by Karthikeyan Singaravelan
* 2019-03-10 (**+66 days**): `commit 0e1f1f0 (branch 3.8) <https://github.com/python/cpython/commit/0e1f1f01058bd4a9b98cfe443214adecc019a38c>`_
* 2019-03-10 (**+66 days**): `commit 97c7d78 (branch 3.7) <https://github.com/python/cpython/commit/97c7d78fda49e03fc773c171ce0c736d02bb73f5>`_
* 2019-03-12 (**+68 days**): `commit 5565b1d (branch 3.6) <https://github.com/python/cpython/commit/5565b1db6f37f244890369e0d68a3e906aca28b9>`_
* 2019-03-16 (**+72 days**): `commit 382981b (branch 3.4) <https://github.com/python/cpython/commit/382981b25092b5e9285f1e4894142af1e8f2ca86>`_
* 2019-03-16 (**+72 days**): `commit e260f09 (branch 3.5) <https://github.com/python/cpython/commit/e260f092cd0d8975c777e73ca6fb549d59b5d452>`_
* 2019-03-18 (**+74 days**): Python 3.4.10 released
* 2019-03-18 (**+74 days**): Python 3.5.7 released
* 2019-03-25 (**+81 days**): Python 3.7.3 released
* 2019-06-15 (**+163 days**): `commit ee15aa2 (branch 2.7) <https://github.com/python/cpython/commit/ee15aa2b8501718cb77e339381f72409a416f801>`_
* 2019-07-02 (**+180 days**): Python 3.6.9 released
* 2019-10-14: Python 3.8.0 released
* 2019-10-19 (**+289 days**): Python 2.7.17 released