glyph
commented
2 years ago @twm if you have a minute to do another fast-following release once this lands that would be great, this is a pretty bad bug in our security fix :-|
Closed dreid closed 2 years ago
glyph
commented
2 years ago @twm if you have a minute to do another fast-following release once this lands that would be great, this is a pretty bad bug in our security fix :-|
If Cookie.port is specified not None then CookieJar will attempt to compare it to the port for the Request object by first parsing it out of
Request.hostand if there is no port specified there falling back to theDEFAULT_HTTP_PORTvalue of 80.This caused cookies to never be sent for HTTPS domains because the Cookie.port was set to 443, and the _FakeUrllib2Request.host did not contain the default port value.
I've also added a test to make sure non-default port values work properly.