http.cookiejar: Incorrect validation of path¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
Cookies of example.com
with path=/any
were sent to
example.com/anybad/
while using a cookiejar with
http.cookiejar.DefaultCookiePolicy policy. The code did not check for
the first non-matching character in prefix match to be a slash.
Dates:
- Disclosure date: 2019-01-03 (Python issue bpo-35647 reported)
Fixed In¶
- Python 2.7.17 (2019-10-19) fixed by commit ee15aa2 (branch 2.7) (2019-06-15)
- Python 3.4.10 (2019-03-18) fixed by commit e260f09 (branch 3.5) (2019-03-16)
- Python 3.5.7 (2019-03-18) fixed by commit 382981b (branch 3.4) (2019-03-16)
- Python 3.6.9 (2019-07-02) fixed by commit 5565b1d (branch 3.6) (2019-03-12)
- Python 3.7.3 (2019-03-25) fixed by commit 97c7d78 (branch 3.7) (2019-03-10)
- Python 3.8.0 (2019-10-14) fixed by commit 0e1f1f0 (branch 3.8) (2019-03-10)
Python issue¶
Cookie path check returns incorrect results.
- Python issue: bpo-35647
- Creation date: 2019-01-03
- Reporter: Karthikeyan Singaravelan
Timeline¶
Timeline using the disclosure date 2019-01-03 as reference:
- 2019-01-03: Python issue bpo-35647 reported by Karthikeyan Singaravelan
- 2019-03-10 (+66 days): commit 0e1f1f0 (branch 3.8)
- 2019-03-10 (+66 days): commit 97c7d78 (branch 3.7)
- 2019-03-12 (+68 days): commit 5565b1d (branch 3.6)
- 2019-03-16 (+72 days): commit 382981b (branch 3.4)
- 2019-03-16 (+72 days): commit e260f09 (branch 3.5)
- 2019-03-18 (+74 days): Python 3.4.10 released
- 2019-03-18 (+74 days): Python 3.5.7 released
- 2019-03-25 (+81 days): Python 3.7.3 released
- 2019-06-15 (+163 days): commit ee15aa2 (branch 2.7)
- 2019-07-02 (+180 days): Python 3.6.9 released
- 2019-10-14: Python 3.8.0 released
- 2019-10-19 (+289 days): Python 2.7.17 released