[issue35121] Cookie domain check returns incorrect results

Riccardo Schirone added the comment: CVE-2018-20852 has been assigned to this flaw. -- ___ Python tracker ___ ___ Python-bugs-list

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: I also reported it to secur...@python.org . Please check with them too to see if there is a CVE request already made. Thanks. -- ___ Python tracker

[issue35121] Cookie domain check returns incorrect results

Riccardo Schirone added the comment: Did anybody request a CVE for this issue? I think it deserves one as it is a security issue and it may leak cookies to wrong domains. Does anybody have anything against assigning a CVE to this issue? If not, I would try to get one from MITRE. --

[issue35121] Cookie domain check returns incorrect results

STINNER Victor added the comment: Again, well done Karthikeyan Singaravelan! -- ___ Python tracker ___ ___ Python-bugs-list

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: Closing this as resolved since the fix was merged to all branches. Thank you all. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker

[issue35121] Cookie domain check returns incorrect results

miss-islington added the comment: New changeset 979daae300916adb399ab5b51410b6ebd0888f13 by Miss Islington (bot) (Xtreak) in branch '2.7': [2.7] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (GH-13426)

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: > Can someone try to backport the fix to Python 2.7? The backport to 2.7 PR 13426 is open. It would be helpful if someone can review it. I am not sure of the commit review process and who needs to review and approve it since this is assigned to

[issue35121] Cookie domain check returns incorrect results

STINNER Victor added the comment: Can someone try to backport the fix to Python 2.7? -- ___ Python tracker ___ ___

[issue35121] Cookie domain check returns incorrect results

STINNER Victor added the comment: I added this issue to my security website: https://python-security.readthedocs.io/vuln/cookie-domain-check.html So it's fixed in Python 3.4.10, 3.5.7 and 3.7.3. Right now, 2.7 and 3.6 are vulnerable (but 3.6 branch is fixed). -- nosy: +vstinner

[issue35121] Cookie domain check returns incorrect results

Change by Karthikeyan Singaravelan : -- pull_requests: +13336 stage: commit review -> patch review ___ Python tracker ___ ___

[issue35121] Cookie domain check returns incorrect results

Change by Ned Deily : -- Removed message: https://bugs.python.org/msg342111 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue35121] Cookie domain check returns incorrect results

Ned Deily added the comment: New changeset 42ad4101d3ba7ca3c371dadf0f8880764c9f15fb by larryhastings (Xtreak) in branch '3.4': [3.4] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (#12279)

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: Larry, I am reopening this since this seems to affects 2.7 and would wait for Benjamin's call on backporting this. -- resolution: fixed -> stage: resolved -> commit review status: closed -> open ___

[issue35121] Cookie domain check returns incorrect results

Change by Larry Hastings : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue35121] Cookie domain check returns incorrect results

Larry Hastings added the comment: New changeset 4749f1b69000259e23b4cc6f63c542a9bdc62f1b by larryhastings (Xtreak) in branch '3.5': [3.5] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (#12281)

[issue35121] Cookie domain check returns incorrect results

Larry Hastings added the comment: New changeset 42ad4101d3ba7ca3c371dadf0f8880764c9f15fb by larryhastings (Xtreak) in branch '3.4': [3.4] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (#12279)

[issue35121] Cookie domain check returns incorrect results

Change by Karthikeyan Singaravelan : -- pull_requests: +12261 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35121] Cookie domain check returns incorrect results

Change by Karthikeyan Singaravelan : -- pull_requests: +12259 stage: commit review -> patch review ___ Python tracker ___ ___

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: There are many libraries that use DefaultCookiePolicy and requests library uses it for client where session state needs to be maintained across different requests. Currently, requests doesn't have a documented API to change to cookiejar policy and

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: >From my initial tests 3.4 and 3.5 were also affected. 3.4 is going EoL and RC1 >is out but there is one another security issue (issue36216) fixed last week >with a PR open. If the merge window is open and Larry is okay then I can raise >backport

[issue35121] Cookie domain check returns incorrect results

Serhiy Storchaka added the comment: What about 3.4 and 3.5? -- nosy: +larry versions: +Python 3.4, Python 3.5 ___ Python tracker ___

[issue35121] Cookie domain check returns incorrect results

Ned Deily added the comment: OK, thanks for the initial report and a big thank you to @xtreak for the PR and following up on things. The PR is now merged to master for 3.8.0 and backported as a security fix for release in 3.7.3 and 3.6.9. Reassigning to Benjamin for a decision on

[issue35121] Cookie domain check returns incorrect results

Change by Ned Deily : -- pull_requests: -12244 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35121] Cookie domain check returns incorrect results

Ned Deily added the comment: New changeset b241af861b37e20ad30533bc0b7e2e5491cc470f by Ned Deily (Miss Islington (bot)) in branch '3.6': bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (GH-12260)

[issue35121] Cookie domain check returns incorrect results

Ned Deily added the comment: New changeset e5123d81ffb3be35a1b2767d6ced1a097aaf77be by Ned Deily (Miss Islington (bot)) in branch '3.7': bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (GH-12261)

[issue35121] Cookie domain check returns incorrect results

Change by miss-islington : -- pull_requests: +12246 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35121] Cookie domain check returns incorrect results

Change by miss-islington : -- pull_requests: +12245 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35121] Cookie domain check returns incorrect results

Change by miss-islington : -- pull_requests: +12244 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35121] Cookie domain check returns incorrect results

Ned Deily added the comment: New changeset ca7fe5063593958e5efdf90f068582837f07bd14 by Ned Deily (Xtreak) in branch 'master': bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) https://github.com/python/cpython/commit/ca7fe5063593958e5efdf90f068582837f07bd14

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: This issue affects 2.7 as well along with 3.4 and 3.5. The initial report was notified to secur...@python.org . 2.7.16 release candidate dates were announced at https://mail.python.org/pipermail/python-dev/2019-February/156266.html. I have

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: I have opened issue35647 for path related checks as a separate report. -- ___ Python tracker ___

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: I have come across another behavior change between path checks while using the cookie jar implementation available in Python. This is related to incorrect cookie validation but with respect to path so let me know if this needs a separate ticket. I

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: Also looking at the docs for different frameworks like [Flask](http://flask.pocoo.org/docs/1.0/api/#flask.Response.set_cookie) and [Django](https://docs.djangoproject.com/en/2.1/ref/request-response/#django.http.HttpResponse.set_cookie) they

[issue35121] Cookie domain check returns incorrect results

Change by Serhiy Storchaka : -- nosy: +ned.deily priority: high -> release blocker type: behavior -> security ___ Python tracker ___

[issue35121] Cookie domain check returns incorrect results

Change by Ned Deily : -- nosy: +serhiy.storchaka ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35121] Cookie domain check returns incorrect results

Change by Ned Deily : -- keywords: +security_issue priority: normal -> high ___ Python tracker ___ ___ Python-bugs-list mailing

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: Looking further into this the domain validation makes it little more stricter and can have wider implications. For example requests library uses cookiejar to maintain cookies between sessions. One more case is that `domain` can be empty so only

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: Good catch Windson! I overlooked the tests. There is also a comment that it's liberal in the test function. Since the code was added in 2006 I don't if it's ok broken to fix this or not. I will let the reviewers take a call then. There is also

[issue35121] Cookie domain check returns incorrect results

Windson Yang added the comment: I wonder https://github.com/python/cpython/blob/master/Lib/test/test_http_cookiejar.py#L420 ("http://foo.bar.com/;, "com", True), ("http://foo.com/;, "com", True), are expected behavior? -- nosy: +Windson Yang

[issue35121] Cookie domain check returns incorrect results

Change by Karthikeyan Singaravelan : -- nosy: +martin.panter, orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: Thanks for the confirmation. I have created a PR (https://github.com/python/cpython/pull/10258) with test and added 3.8 as affected version. Please add in if I have missed anything in the PR. -- versions: +Python 3.8

[issue35121] Cookie domain check returns incorrect results

Change by Karthikeyan Singaravelan : -- keywords: +patch pull_requests: +9569 stage: -> patch review ___ Python tracker ___ ___

[issue35121] Cookie domain check returns incorrect results

西田雄治 added the comment: I think that is desired result. thanks! -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue35121] Cookie domain check returns incorrect results

Karthikeyan Singaravelan added the comment: The current set of tests are at https://github.com/python/cpython/blob/0353b4eaaf451ad463ce7eb3074f6b62d332f401/Lib/test/test_http_cookiejar.py#L406 . A simple set of tuple that can be added based on the report as below : ("http://barfoo.com;,

[issue35121] Cookie domain check returns incorrect results

New submission from 西田雄治 : http.cookiejar.DefaultPolicy.domain_return_ok returns incorrect results. So, HTTP clients send cookies which issued from wrong server. policy = http.cookiejar.DefaultCookiePolicy() req = urllib.request.Request('https://xxxfoo.co.jp/')