summaryrefslogtreecommitdiff
path: root/Lib/http/cookiejar.py
Commit message (Collapse)AuthorAgeFilesLines
* bpo-38976: Add support for HTTP Only flag in MozillaCookieJar (#17471)Jacob Neil Taylor2020-10-231-14/+26
| | | | | Add support for HTTP Only flag in MozillaCookieJar Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157)bcaller2019-11-221-6/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
* bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies ↵Xtreak2019-09-131-2/+1
| | | | | | | | | | | | | | (GH-13921) Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called. Co-authored-by: Demian Brecht <demianbrecht@gmail.com> https://bugs.python.org/issue12144 Automerge-Triggered-By: @asvetlov
* bpo-35647: Fix path check in cookiejar (#11436)Xtreak2019-03-101-5/+9
| | | | | | | | | | | | * Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter
* bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258)Xtreak2019-03-091-2/+11
| | | Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
* bpo-36043: FileCookieJar supports os.PathLike (GH-11945)Stéphane Wirtel2019-03-011-4/+2
| | | https://bugs.python.org/issue36043
* bpo-34911: Added support for secure websocket cookies (GH-9734)Paul Bailey2018-10-081-1/+3
|
* bpo-31370: Remove support for threads-less builds (#3385)Antoine Pitrou2017-09-071-4/+1
| | | | | | * Remove Setup.config * Always define WITH_THREAD for compatibility.
* #27364: fix "incorrect" uses of escape character in the stdlib.R David Murray2016-09-081-3/+3
| | | | | | | And most of the tools. Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and Martin Panter.
* Issue 19504: Change "customise" to "customize" American spelling.Raymond Hettinger2016-08-251-1/+1
|
* Issue #27466: Change time format returned by http.cookie.time2netscape,Senthil Kumaran2016-07-101-1/+1
| | | | confirming the netscape cookie format.
* Fix typos in comments, documentation and test method namesMartin Panter2016-05-081-1/+1
|
* Issue #16181: cookiejar.http2time() now returns None if year is higher than ↵Berker Peksag2016-03-141-1/+4
| | | | datetime.MAXYEAR
* Merge typo and grammar fixes from 3.4 into 3.5Martin Panter2015-11-141-4/+4
|\
| * Correct Content-Type syntax in documentationMartin Panter2015-11-141-4/+4
| |
* | Issue #25523: Merge a-to-an corrections from 3.4.Serhiy Storchaka2015-11-021-1/+1
|\ \ | |/
| * Issue #25523: Further a-to-an corrections.Serhiy Storchaka2015-11-021-1/+1
| |
* | Issue #23888: Handle fractional time in cookie expiry. Patch by ssh.Robert Collins2015-08-041-1/+1
|\ \ | |/
| * Issue #23888: Handle fractional time in cookie expiry. Patch by ssh.Robert Collins2015-08-041-1/+1
| |
* | Issue #22831: Use "with" to avoid possible fd leaks.Serhiy Storchaka2015-04-041-1/+0
| |
* | Issue #23138: Fixed parsing cookies with absent keys or values in cookiejar.Serhiy Storchaka2015-03-131-15/+31
|\ \ | |/ | | | | Patch by Demian Brecht.
| * Issue #23138: Fixed parsing cookies with absent keys or values in cookiejar.Serhiy Storchaka2015-03-131-15/+31
| | | | | | | | Patch by Demian Brecht.
* | merge 3.4 (#23221)Benjamin Peterson2015-01-131-1/+1
|\ \ | |/
| * fix instances of consecutive articles (closes #23221)Benjamin Peterson2015-01-131-1/+1
| | | | | | | | Patch by Karan Goel.
* | Issue #11957: Explicit parameter name when calling re.split() and re.sub()Victor Stinner2014-10-291-1/+1
| |
* | Issue #22033: Reprs of most Python implemened classes now contain actualSerhiy Storchaka2014-07-251-1/+1
|/ | | | class name instead of hardcoded one.
* Fixed bugs in reprs of CookieJar and multiprocessing.dummy.Value.Serhiy Storchaka2014-07-221-2/+2
|
* merge 3.3 (#20018)Benjamin Peterson2013-12-181-1/+1
|\
| * update url to spec (closes #20018)Benjamin Peterson2013-12-181-1/+1
| |
* | Issue #18200: Back out usage of ModuleNotFoundError (8d28d44f3a9a)Brett Cannon2013-07-041-1/+1
| |
* | Issue #18200: Update the stdlib (except tests) to useBrett Cannon2013-06-131-1/+1
| | | | | | | | ModuleNotFoundError.
* | #17678: Remove the use of a deprecated method http/cookiejar.py. Changing theSenthil Kumaran2013-04-091-1/+1
|\ \ | |/ | | | | | | | | usage of get_origin_req_host() to origin_req_host. Patch by Wei-Cheng Pan
| * #17678: Fix DeprecationWarning in the http/cookiejar.py by changing the usageSenthil Kumaran2013-04-091-1/+1
| | | | | | | | | | | | of get_origin_req_host() to origin_req_host. Patch by Wei-Cheng Pan
* | modernize some modules' code by using with statement around open()Giampaolo Rodola'2013-02-121-12/+3
| |
* | Replace IOError with OSError (#16715)Andrew Svetlov2012-12-251-7/+6
| |
* | more yield fromPhilip Jenvey2012-10-011-2/+1
|/ | | | patch by Serhiy Storchaka
* #15980: merge with 3.2.Ezio Melotti2012-09-211-2/+2
|\
| * #15980: properly escape newlines in docstrings. Patch by Serhiy Storchaka.Ezio Melotti2012-09-211-2/+2
| |
* | Issue #15409: Replace use of deprecated urllib.request.Request methods in ↵Meador Inge2012-07-201-4/+4
|/ | | | | | http.cookijar Patch by Flávio Ribeiro.
* Don’t interpret backslashes in ASCII diagram in a docstringÉric Araujo2011-11-071-1/+1
|
* Remove duplication.Ezio Melotti2011-10-191-1/+1
|
* merge 3.1Victor Stinner2011-03-211-6/+12
|\
| * Issue #5537: Fix time2isoz() and time2netscape() functions of httplib.cookiejarVictor Stinner2011-03-211-6/+12
| | | | | | | | for expiration year greater than 2038 on 32-bit systems.
| * Merged revisions 83370,83372-83374,83384 via svnmerge fromGeorg Brandl2010-08-011-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | svn+ssh://svn.python.org/python/branches/py3k ........ r83370 | georg.brandl | 2010-07-31 23:51:48 +0200 (Sa, 31 Jul 2010) | 5 lines #8198: the Helper class should not save the stdin and stdout objects at import time, rather by default use the current streams like the other APIs that output help. ........ r83372 | georg.brandl | 2010-08-01 00:05:54 +0200 (So, 01 Aug 2010) | 1 line #4007: remove *.a and *.so.X.Y files in "make clean". ........ r83373 | georg.brandl | 2010-08-01 00:11:11 +0200 (So, 01 Aug 2010) | 1 line #5147: revert accidental indentation of header constant for MozillaCookieJar. ........ r83374 | georg.brandl | 2010-08-01 00:32:52 +0200 (So, 01 Aug 2010) | 1 line #5146: handle UID THREAD command correctly. ........ r83384 | georg.brandl | 2010-08-01 08:32:55 +0200 (So, 01 Aug 2010) | 1 line Build properties using lambdas. This makes test_pyclbr pass again, because it does not think that input and output are methods anymore. ........
| * Merged revisions 82985 via svnmerge fromGregory P. Smith2010-07-251-9/+6
| | | | | | | | | | | | | | | | | | | | | | svn+ssh://pythondev@svn.python.org/python/branches/py3k ........ r82985 | gregory.p.smith | 2010-07-19 16:17:22 -0700 (Mon, 19 Jul 2010) | 3 lines Fixes Issue #3704: http.cookiejar was not properly handling URLs with a / in the parameters. (This is jjlee's issue3704.patch ported to py3k) ........
* | #5147: revert accidental indentation of header constant for MozillaCookieJar.Georg Brandl2010-07-311-3/+3
| |
* | Fixes Issue #3704: http.cookiejar was not properly handling URLs with a / inGregory P. Smith2010-07-191-9/+6
| | | | | | | | the parameters. (This is jjlee's issue3704.patch ported to py3k)
* | Merged revisions 81465-81466,81468,81679,81735,81760,81868,82183 via ↵Benjamin Peterson2010-06-271-5/+15
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | svnmerge from svn+ssh://pythondev@svn.python.org/python/trunk ........ r81465 | georg.brandl | 2010-05-22 06:29:19 -0500 (Sat, 22 May 2010) | 2 lines Issue #3924: Ignore cookies with invalid "version" field in cookielib. ........ r81466 | georg.brandl | 2010-05-22 06:31:16 -0500 (Sat, 22 May 2010) | 1 line Underscore the name of an internal utility function. ........ r81468 | georg.brandl | 2010-05-22 06:43:25 -0500 (Sat, 22 May 2010) | 1 line #8635: document enumerate() start parameter in docstring. ........ r81679 | benjamin.peterson | 2010-06-03 16:21:03 -0500 (Thu, 03 Jun 2010) | 1 line use a set for membership testing ........ r81735 | michael.foord | 2010-06-05 06:46:59 -0500 (Sat, 05 Jun 2010) | 1 line Extract error message truncating into a method (unittest.TestCase._truncateMessage). ........ r81760 | michael.foord | 2010-06-05 14:38:42 -0500 (Sat, 05 Jun 2010) | 1 line Issue 8302. SkipTest exception is setUpClass or setUpModule is now reported as a skip rather than an error. ........ r81868 | benjamin.peterson | 2010-06-09 14:45:04 -0500 (Wed, 09 Jun 2010) | 1 line fix code formatting ........ r82183 | benjamin.peterson | 2010-06-23 15:29:26 -0500 (Wed, 23 Jun 2010) | 1 line cpython only gc tests ........
* #2834: Change re module semantics, so that str and bytes mixing is forbidden,Antoine Pitrou2008-08-191-11/+11
| | | | | and str (unicode) patterns get full unicode matching by default. The re.ASCII flag is also introduced to ask for ASCII matching instead.
* Fix old urllib/urllib2/urlparse usage.Georg Brandl2008-06-231-1/+1
|
View Lorry Controller Status