Strip leading . from cookie domain names. (#1041)

* Allow leading `.` in cookie domain names. * Add PR reference. * Strip leading dot as suggested by @d-maurer. * Make linter happy. * - small cleanups Co-authored-by: Jens Vagelpohl <[email protected]>
zopefoundation · May 20, 2022 · bc81ab4 · bc81ab4
1 parent c6a8e02
commit bc81ab4
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -20,7 +20,7 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 
 - Quote all components of a redirect URL (not only the path component)
   (`#1027 <https://github.com/zopefoundation/Zope/issues/1027>`_)
-  
+
 - Drop the convenience script generation from the buildout configuration
   in order to get rid of a lot of dependency version pins.
   These were only needed for maintainers who can install them manually.
@@ -32,6 +32,9 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
   to the complete matrix view when more than 30 roles are defined.
   (`#1039 <https://github.com/zopefoundation/Zope/pull/1039>`_)
 
+- Strip leading ``.`` in cookie domain names.
+  (`#1041 <https://github.com/zopefoundation/Zope/pull/1041>`_)
+
 
 5.5.1 (2022-04-05)
 ------------------

diff --git a/src/ZPublisher/cookie.py b/src/ZPublisher/cookie.py
@@ -25,6 +25,8 @@
 ``normalizeCookieParameterName`` and ``convertCookieParameter``.
 """
 import datetime
+from encodings.idna import ToASCII
+from encodings.idna import nameprep
 from itertools import chain
 from re import compile
 from time import time
@@ -240,8 +242,11 @@ def domain_converter(value):
     u_value = value.decode("utf-8") if isinstance(value, bytes) else value
     if "xn--" in u_value:  # already encoded
         return value
-    from encodings.idna import ToASCII
-    from encodings.idna import nameprep
+
+    # According to https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3 a
+    # leading dot is ignored. If it is there `ToASCII`, breaks on the empty
+    # string:
+    u_value = u_value.lstrip('.')
     return ".".join(to_str(ToASCII(nameprep(c))) for c in u_value.split("."))
 
 

diff --git a/src/ZPublisher/tests/testHTTPResponse.py b/src/ZPublisher/tests/testHTTPResponse.py
@@ -801,7 +801,7 @@ def test_redirect_nonascii(self):
         self._redirectURLCheck(exc, expected=ENC_URL)
 
     def test_redirect_nonascii_everywhere(self):
-        URL = u"http://uä:pä@sä:80/pä?qä#fä"
+        URL = "http://uä:pä@sä:80/pä?qä#fä"
         ENC_URL = "http://u%C3%A4:p%C3%A4@s%C3%A4:80/p%C3%A4?q%C3%A4#f%C3%A4"
         self._redirectURLCheck(URL, ENC_URL)
 

diff --git a/src/ZPublisher/tests/test_cookie.py b/src/ZPublisher/tests/test_cookie.py
@@ -145,6 +145,10 @@ def test_domain(self):
         _, v = convertCookieParameter("domain",
                                       "Fußball.example".encode())
         self.assertEqual(v, "fussball.example")
+        # a leading dot is stripped as it is ignored according to
+        # https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3
+        _, v = convertCookieParameter("domain", ".zope.dev")
+        self.assertEqual(v, "zope.dev")
 
     def test_path(self):
         # test object