Karthikeyan Singaravelan <[email protected]> added the comment:
Looking further into this the domain validation makes it little more stricter
and can have wider implications. For example requests library uses cookiejar to
maintain cookies between sessions. One more case is that `domain` can be empty
so only non-empty domains can be prefixed with dot.
A simple server that sets Cookie with value `A=LDJDSFLKSDJLDSF`
import SimpleHTTPServer
import logging
class MyHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
self.cookieHeader = self.headers.get('Cookie')
SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)
def end_headers(self):
self.send_my_headers()
SimpleHTTPServer.SimpleHTTPRequestHandler.end_headers(self)
def send_my_headers(self):
self.send_header('Set-Cookie', 'A=LDJDSFLKSDJLDSF')
if __name__ == '__main__':
SimpleHTTPServer.test(HandlerClass=MyHTTPRequestHandler)
Add below host entry to `/etc/hosts`
127.0.0.1 test.com
127.0.0.1 1.test.com
127.0.0.1 footest.com
Sample script to demonstrate requests behavior change
import requests
with requests.Session() as s:
cookies = dict(cookies_are='working')
m = s.get("http://test.com:8000";, cookies=cookies)
print(m.request.headers)
m = s.get("http://1.test.com:8000";, cookies=cookies)
print(m.request.headers)
m = s.get("http://footest.com:8000";, cookies=cookies)
print(m.request.headers)
Before patch :
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'A=LDJDSFLKSDJLDSF;
cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'A=LDJDSFLKSDJLDSF;
cookies_are=working'}
After patch :
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'A=LDJDSFLKSDJLDSF;
cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'cookies_are=working'}
As with my patch since the cookie is set on `test.com` while making a request
to `footest.com` the cookie is skipped as part of the patch since footest is
not a subdomain of test.com but 1.test.com is a subdomain. This is a behavior
change to be decided whether worth doing or to document this since in a client
with session like requests module connecting to lot of hosts this can
potentially pass cookies of test.com to footest.com. A discussion on requests
repo on providing the option for user to set a stricter cookie policy :
https://github.com/requests/requests/issues/2576
On testing with curl cookie-jar it seems that the cookies are passed even for
the subdomain only when it's set and not as part of top level domain.
----------
______________________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue35121>
______________________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
