Impact
Treq's request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary, for example:
treq.get('https://example.com/', cookies={'session': '1234'})Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.
Patches
Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the url parameter.
Workarounds
Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it:
from http.cookiejar import CookieJar
from requests.cookies import create_cookie
jar = CookieJar()
jar.add_cookie(
create_cookie(
name='session',
value='1234',
domain='example.com',
secure=True,
),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')References
References
Impact
Treq's request methods (
treq.get,treq.post,HTTPClient.request,HTTPClient.get, etc.) accept cookies as a dictionary, for example:Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should
https://example.comredirect tohttp://cloudstorageprovider.comthe latter will receive the cookiesession.Patches
Treq 2021.1.0 and later bind cookies given to request methods (
treq.request,treq.get,HTTPClient.request,HTTPClient.get, etc.) to the origin of the url parameter.Workarounds
Instead of passing a dictionary as the cookies argument, pass a
http.cookiejar.CookieJarinstance with properly domain- and scheme-scoped cookies in it:References
References