http.cookiejar: Incorrect validation of path

Cookies of example.com with path=/any were sent to example.com/anybad/ while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. The code did not check for the first non-matching character in prefix match to be a slash.

Dates:

• Disclosure date: 2019-01-03 (Python issue bpo-35647 reported)

Fixed In

• Python 2.7.17 (2019-10-19) fixed by commit ee15aa2 (branch 2.7) (2019-06-15)
• Python 3.4.10 (2019-03-18) fixed by commit e260f09 (branch 3.5) (2019-03-16)
• Python 3.5.7 (2019-03-17) fixed by commit 382981b (branch 3.4) (2019-03-16)
• Python 3.6.9 (2019-07-03) fixed by commit 5565b1d (branch 3.6) (2019-03-12)
• Python 3.7.3 (2019-03-25) fixed by commit 97c7d78 (branch 3.7) (2019-03-10)
• Python 3.8.0 (2019-10-14) fixed by commit 0e1f1f0 (branch 3.8) (2019-03-10)

Python issue

Cookie path check returns incorrect results.

• Python issue: bpo-35647
• Creation date: 2019-01-03
• Reporter: Karthikeyan Singaravelan

Timeline

Timeline using the disclosure date 2019-01-03 as reference:

• 2019-01-03: Python issue bpo-35647 reported by Karthikeyan Singaravelan
• 2019-03-10 (+66 days): commit 0e1f1f0 (branch 3.8)
• 2019-03-10 (+66 days): commit 97c7d78 (branch 3.7)
• 2019-03-12 (+68 days): commit 5565b1d (branch 3.6)
• 2019-03-16 (+72 days): commit 382981b (branch 3.4)
• 2019-03-16 (+72 days): commit e260f09 (branch 3.5)
• 2019-03-17 (+73 days): Python 3.5.7 released
• 2019-03-18 (+74 days): Python 3.4.10 released
• 2019-03-25 (+81 days): Python 3.7.3 released
• 2019-06-15 (+163 days): commit ee15aa2 (branch 2.7)
• 2019-07-03 (+181 days): Python 3.6.9 released
• 2019-10-14: Python 3.8.0 released
• 2019-10-19 (+289 days): Python 2.7.17 released