Add cookiejar path related security issue#15
Conversation
|
|
||
| - name: "CVE-2019-9947: CRLF injection attack in urllib" | ||
| cve: CVE-2019-9947 | ||
| bpo: 30458 |
| disclosure: "2019-01-03 (Python issue bpo-35647 reported)" | ||
| reported-at: "2019-01-03" | ||
| reported-by: "Karthikeyan Singaravelan" | ||
| affected-versions: |
There was a problem hiding this comment.
Remove affected-versions, it's redundant.
|
|
||
| - name: "bpo-35755: Remove current directory from posixpath.defpath" | ||
| bpo: 35755 | ||
| disclosure: "2019-01-17 (Reported by bpo-35755)" |
There was a problem hiding this comment.
disclosure, reported-at, reported-by and affected-versions are generated automatically.
|
I have removed the auto-generated fields mentioned. I removed the urllib and defpath items as suggested. This PR adds only the cookiejar path related vulnerability. |
tirkarthi
changed the title
| `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan | ||
| Singaravelan. | ||
|
|
||
| - name: "bpo-35647: Incorrect validation of path in http.cookiejar" |
There was a problem hiding this comment.
Please remove "bpo-35647: " prefix.
| - 3.8: 0e1f1f01058bd4a9b98cfe443214adecc019a38c | ||
| description: | | ||
| Cookies of example.com with path=/any where sent to example.com/anybad/ | ||
| while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. |
There was a problem hiding this comment.
Please use reST syntax here for better rendering:
Cookies of ``example.com`` with ``path=/any`` where sent to ``example.com/anybad/``
while using a cookiejar with ``http.cookiejar.DefaultCookiePolicy`` policy.
|
Thanks, merged. It's good to see more contributors on this project ;-) I was feeling alone :-D @tirkarthi: Can you try to add a script to detect if Python is vulnerable to bpo-35647 in check-python-vuln//check-python-vuln.py? |
|
Thanks Victor for merging it. Sure, I will add a script as another PR. |
2 participants
I had it in my fork and forgot to push it. bpo 30458 is also fixed but not updated. I will add them. I am opening this as WIP to make sure I don't forget it.