Strip leading . from cookie domain names. (#1041)

* Allow leading `.` in cookie domain names. * Add PR reference. * Strip leading dot as suggested by @d-maurer. * Make linter happy. * - small cleanups Co-authored-by: Jens Vagelpohl <[email protected]>
zopefoundation · May 20, 2022 · f4bfc0b · f4bfc0b
1 parent c4c30f0
commit f4bfc0b
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -18,14 +18,17 @@ https://zope.readthedocs.io/en/2.13/CHANGES.html
 
 - Quote all components of a redirect URL (not only the path component)
   (`#1027 <https://github.com/zopefoundation/Zope/issues/1027>`_)
-  
+
 - Drop the convenience script generation from the buildout configuration
   in order to get rid of a lot of dependency version pins.
   These were only needed for maintainers who can install them manually.
   (`#1019 <https://github.com/zopefoundation/Zope/issues/1019>`_)
 
 - Update dependencies to the latest releases that still support Python 2.
 
+- Strip leading ``.`` in cookie domain names.
+  (`#1041 <https://github.com/zopefoundation/Zope/pull/1041>`_)
+
 
 4.8.1 (2022-04-05)
 ------------------

diff --git a/src/ZPublisher/cookie.py b/src/ZPublisher/cookie.py
@@ -25,6 +25,8 @@
 ``normalizeCookieParameterName`` and ``convertCookieParameter``.
 """
 import datetime
+from encodings.idna import ToASCII
+from encodings.idna import nameprep
 from itertools import chain
 from re import compile
 from time import time
@@ -241,8 +243,11 @@ def domain_converter(value):
     u_value = value.decode("utf-8") if isinstance(value, bytes) else value
     if "xn--" in u_value:  # already encoded
         return value
-    from encodings.idna import ToASCII
-    from encodings.idna import nameprep
+
+    # According to https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3 a
+    # leading dot is ignored. If it is there `ToASCII`, breaks on the empty
+    # string:
+    u_value = u_value.lstrip('.')
     return ".".join(to_str(ToASCII(nameprep(c))) for c in u_value.split("."))
 
 

diff --git a/src/ZPublisher/tests/test_cookie.py b/src/ZPublisher/tests/test_cookie.py
@@ -148,6 +148,10 @@ def test_domain(self):
         _, v = convertCookieParameter("domain",
                                       u"Fußball.example".encode("utf-8"))
         self.assertEqual(v, "fussball.example")
+        # a leading dot is stripped as it is ignored according to
+        # https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3
+        _, v = convertCookieParameter("domain", ".zope.dev")
+        self.assertEqual(v, "zope.dev")
 
     def test_path(self):
         # test object