Impact
Treq's request methods (treq.get
, treq.post
, HTTPClient.request
, HTTPClient.get
, etc.) accept cookies as a dictionary, for example:
treq.get('https://example.com/', cookies={'session': '1234'})
Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com
redirect to http://cloudstorageprovider.com
the latter will receive the cookie session
.
Patches
Treq 2021.1.0 and later bind cookies given to request methods (treq.request
, treq.get
, HTTPClient.request
, HTTPClient.get
, etc.) to the origin of the url parameter.
Workarounds
Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar
instance with properly domain- and scheme-scoped cookies in it:
from http.cookiejar import CookieJar
from requests.cookies import create_cookie
jar = CookieJar()
jar.add_cookie(
create_cookie(
name='session',
value='1234',
domain='example.com',
secure=True,
),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')
References
Impact
Treq's request methods (
treq.get
,treq.post
,HTTPClient.request
,HTTPClient.get
, etc.) accept cookies as a dictionary, for example:Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should
https://example.com
redirect tohttp://cloudstorageprovider.com
the latter will receive the cookiesession
.Patches
Treq 2021.1.0 and later bind cookies given to request methods (
treq.request
,treq.get
,HTTPClient.request
,HTTPClient.get
, etc.) to the origin of the url parameter.Workarounds
Instead of passing a dictionary as the cookies argument, pass a
http.cookiejar.CookieJar
instance with properly domain- and scheme-scoped cookies in it:References