http.cookiejar: Incorrect validation of path¶
Cookies of example.com
with path=/any
were sent to
example.com/anybad/
while using a cookiejar with
http.cookiejar.DefaultCookiePolicy policy. The code did not check for
the first non-matching character in prefix match to be a slash.
Dates:
- Disclosure date: 2019-01-03 (Python issue bpo-35647 reported)
Fixed In¶
- Python 2.7.17 (2019-10-19) fixed by commit ee15aa2 (branch 2.7) (2019-06-15)
- Python 3.4.10 (2019-03-18) fixed by commit e260f09 (branch 3.5) (2019-03-16)
- Python 3.5.7 (2019-03-17) fixed by commit 382981b (branch 3.4) (2019-03-16)
- Python 3.6.9 (2019-07-03) fixed by commit 5565b1d (branch 3.6) (2019-03-12)
- Python 3.7.3 (2019-03-25) fixed by commit 97c7d78 (branch 3.7) (2019-03-10)
- Python 3.8.0 (2019-10-14) fixed by commit 0e1f1f0 (branch 3.8) (2019-03-10)
Python issue¶
Cookie path check returns incorrect results.
- Python issue: bpo-35647
- Creation date: 2019-01-03
- Reporter: Karthikeyan Singaravelan
Timeline¶
Timeline using the disclosure date 2019-01-03 as reference:
- 2019-01-03: Python issue bpo-35647 reported by Karthikeyan Singaravelan
- 2019-03-10 (+66 days): commit 0e1f1f0 (branch 3.8)
- 2019-03-10 (+66 days): commit 97c7d78 (branch 3.7)
- 2019-03-12 (+68 days): commit 5565b1d (branch 3.6)
- 2019-03-16 (+72 days): commit 382981b (branch 3.4)
- 2019-03-16 (+72 days): commit e260f09 (branch 3.5)
- 2019-03-17 (+73 days): Python 3.5.7 released
- 2019-03-18 (+74 days): Python 3.4.10 released
- 2019-03-25 (+81 days): Python 3.7.3 released
- 2019-06-15 (+163 days): commit ee15aa2 (branch 2.7)
- 2019-07-03 (+181 days): Python 3.6.9 released
- 2019-10-14: Python 3.8.0 released
- 2019-10-19 (+289 days): Python 2.7.17 released