From 2b7e04d61274af03426975fe824ed83eca35b035 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Fri, 25 Feb 2022 03:57:30 -0800
Subject: bpo-46756: Fix authorization check in urllib.request (GH-31353)

Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
 Lib/urllib/request.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'Lib/urllib/request.py')

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index eca6cc3501..34b1b0b0b7 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -889,10 +889,10 @@ class HTTPPasswordMgr:
             return True
         if base[0] != test[0]:
             return False
-        common = posixpath.commonprefix((base[1], test[1]))
-        if len(common) == len(base[1]):
-            return True
-        return False
+        prefix = base[1]
+        if prefix[-1:] != '/':
+            prefix += '/'
+        return test[1].startswith(prefix)
 
 
 class HTTPPasswordMgrWithDefaultRealm(HTTPPasswordMgr):
-- 
cgit v1.2.1