gh-135768: fix allowed/blocked IPv6 domains in http.cookiejar
#135771
Conversation
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Bénédikt Tran <[email protected]>
Misc/NEWS.d/next/Library/2025-06-20-17-03-51.gh-issue-135768.DhUJWf.rst
Outdated
Show resolved
Hide resolved
…hUJWf.rst Co-authored-by: Bénédikt Tran <[email protected]>
picnixz
changed the title
http.cookiejarhttp.cookiejar
Done. |
Co-authored-by: Bénédikt Tran <[email protected]>
I'll work on this since this PR is done. |
No, wait until this is merged. We may need a new issue but this is not pressing right now. Focus on this one first. |
There was a problem hiding this comment.
Please, be more careful with your choices. First, answer my question about .local (why are we adding it in the first place?)
Second, detecting whether something is an IP or not needs to be more robust. For instance, we could block domains without using [] notation and only ::. Indeed, an IPv6 is not enclosed by [].
Finally, it would be good if we had more RFC-backed choices.
| if text.startswith('[') and text.endswith(']'): | ||
| try: | ||
| IPv6Address(text.removeprefix('[').removesuffix(']')) | ||
| except ValueError: | ||
| return False | ||
| else: | ||
| return False # not a IPv6 address in [] |
There was a problem hiding this comment.
Why are IPv6 addressed not surrounded [] rejected? when making a request, we would use http://[::1] for instance, but we could decide to reject the domain ::1 itself. Please be more careful. Instead, we should make it allow both valid IPv6 addresses as well as IPv6 addresses enclosed in '[]'. But then, we need to be careful with the matching. Should [::1] be matched against ::1 or [::1] only?
Try to look at the RFC as well to see if there are more information about IPv6 domains.
Lib/test/test_http_cookiejar.py
Outdated
| self.assertFalse(is_HDN("")) | ||
| self.assertFalse(is_HDN(".")) | ||
| self.assertFalse(is_HDN(".foo.bar.com")) | ||
| self.assertFalse(is_HDN("..foo")) | ||
| self.assertFalse(is_HDN("foo.")) | ||
|
|
||
| def test_is_ip(self): | ||
| self.assertTrue(is_ip('[::1]')) |
There was a problem hiding this comment.
Strictly speaking, it's not an IPv6. It's a netloc with an IPv6 inside it. We should perhaps name is_ip_like instead and also treat ::1 as a valid IP (for blocked domains). I don't have an answer to that question so I'd prefer to know if there is some recommendations done by RFCs.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
because using .local in IPv6 doesn't make any sense. It will change the input IPv6 to something like The additional .local is designed for HDNs not IP addresses. Before this PR. We assumed that there are only two types of input: IPv4 addr and HDN. IPv4 indeed contains dots. Some abnormal HDN do not contain dot, than we are adding a .local at the end of it. This is the expected case. But, IPv6 is a edge case. It do not contains dot. And it is not a HDN. Adding .local after a IPv6 address is meaningless and, the most important thing, will cause error in logic when we are blocking hosts. Since the IPv6 is It is the |
|
My question was more: why did we add .local for IPv4 in the first place. There is a bunch of logic involving local domains in |
I might be stupid here, but I think we are actually not adding .local for IPv4. RFC 2965 quotes:
And the implementation is correct. IPv4 contains dots so so sorry in advanced if I misunderstand the code |
|
you can locally test this by adding breakpoints in func import urllib.request
from http.cookiejar import CookieJar, DefaultCookiePolicy
class FakeResponse:
def __init__(self, headers=[], url=None):
"""
headers: list of RFC822-style 'Key: value' strings
"""
import email
self._headers = email.message_from_string("\n".join(headers))
self._url = url
def info(self): return self._headers
pol = DefaultCookiePolicy(
rfc2965=True, blocked_domains=[])
c = CookieJar(policy=pol)
headers = ["Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/"]
pol.set_blocked_domains(['acme'])
req = urllib.request.Request("http://acme")
res = FakeResponse(headers, "http://acme")
c.extract_cookies(res, req)
# And
c.clear()
pol.set_blocked_domains(['127.0.0.1'])
req = urllib.request.Request("http://127.0.0.1")
res = FakeResponse(headers, "http://127.0.0.1")
c.extract_cookies(res, req) |
|
And for the issue of
I chose to use only |
Oups my bad. Ok, so this is an RFC thing. Now, is there a similar RFC for IPv6? (It appears that there is a lot of code that is IPv-4 only but if we're adding support to IPv6, we need to make it work everywhere actually).
no worries!
Sorry but I don't have time for that. |
I think we could treat them in seperate issues and PRs, I think we could just focus on fixing allowed/blocked IPv6 domains in
I really thank you so much for your time. My coding skills and experiences have improved by all this. |
|
And for the But hey, users are likely to use ::1 if they don't read the docs very carefully, I actually don't know how to deal with this problem very properly. I need your suggestions tho @picnixz. Thanks! |
|
No worries of The only related change of other funcs is (There are indeed a hole bunch of things to change if we are going to support IPv6 entirely)
I'll take a look at this after this PR is merged. |
PR for #135768, Thanks!
http.cookiejar#135768