http.cookiejar: Incorrect validation of path

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Cookies of example.com with path=/any were sent to example.com/anybad/ while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. The code did not check for the first non-matching character in prefix match to be a slash.

Dates:

  • Disclosure date: 2019-01-03 (Python issue bpo-35647 reported)

Fixed In

Python issue

Cookie path check returns incorrect results.

  • Python issue: bpo-35647
  • Creation date: 2019-01-03
  • Reporter: Karthikeyan Singaravelan

Timeline

Timeline using the disclosure date 2019-01-03 as reference: