Skip to content

Warn when cookie domain is set to an IP #2105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jjoliveira wants to merge 5 commits into from
Closed

Warn when cookie domain is set to an IP #2105

jjoliveira wants to merge 5 commits into from

Conversation

@jjoliveira
Copy link
Contributor

@jjoliveira jjoliveira commented Dec 4, 2016

Possible solution for issue #2007, it gives a warning message when an IP is set as SESSION_COOKIE_DOMAIN as user untitaker asked us to do, SERVER_DOMAIN isn't checked because he didn't remembered why it was needed, but the function is_IP in /flask/helpers is prepared to it. If you have any doubt feel free to ask.

ThiefMaster
ThiefMaster reviewed Dec 4, 2016
View reviewed changes
flask/helpers.py Outdated
"""
return td.days * 60 * 60 * 24 + td.seconds

def is_IP(string, var_name):

This comment was marked as off-topic.

Sign in to view

ThiefMaster
ThiefMaster reviewed Dec 4, 2016
View reviewed changes
flask/sessions.py Outdated

def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
is_IP(domain, "SESSION_COOKIE_DOMAIN")

This comment was marked as off-topic.

Sign in to view

@ThiefMaster
Copy link
Member

ThiefMaster commented Dec 4, 2016
edited
Loading

I think instead of string operations the proper way to check whether it's an IP is using socket.inet_pton() and returning True if it doesn't raise, otherwise False.

Something like this:

for family in (socket.AF_INET, socket.AF_INET6):
    try:
        socket.inet_pton(family, ip)
    except socket.error:
        pass
    else:
        return True
return False

@jjoliveira
Copy link
Contributor Author

jjoliveira commented Dec 4, 2016

@ThiefMaster What should be the category of the warning message?

@ThiefMaster
Copy link
Member

ThiefMaster commented Dec 4, 2016

maybe RuntimeWarning... I'd check if Flask uses any other warnings (that are not deprecation-related) and possibly use the same type

Also, tests are failing since you don't handle the case where the domain is unset, i.e. None

@jjoliveira
Copy link
Contributor Author

jjoliveira commented Dec 4, 2016

@ThiefMaster How can I get the socket of the session when I call the function is_ip() in the save_session() function?

@ThiefMaster
Copy link
Member

ThiefMaster commented Dec 4, 2016

It's a function from python's socket module, so you simple import socket at the top of the file...

ThiefMaster
ThiefMaster reviewed Dec 4, 2016
View reviewed changes
flask/sessions.py Outdated
def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
is_IP(domain, "SESSION_COOKIE_DOMAIN")
if domain != None:

This comment was marked as off-topic.

Sign in to view

ThiefMaster
ThiefMaster reviewed Dec 4, 2016
View reviewed changes
flask/sessions.py Outdated
def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
if domain != None:
is_ip(domain, "SESSION_COOKIE_DOMAIN", self)

This comment was marked as off-topic.

Sign in to view

@jjoliveira
Copy link
Contributor Author

jjoliveira commented Dec 4, 2016
edited
Loading

@ThiefMaster Sorry for that, in my last commit all the unit tests are passing. I also did the changes you asked for.

untitaker
untitaker reviewed Dec 7, 2016
View reviewed changes
flask/sessions.py

def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
if domain is not None:

This comment was marked as off-topic.

Sign in to view

flask/sessions.py
domain = self.get_cookie_domain(app)
if domain is not None:
if is_ip(domain):
warnings.warn("IP introduced in SESSION_COOKIE_DOMAIN", RuntimeWarning)

This comment was marked as off-topic.

Sign in to view

@davidism davidism changed the title #2007 Warn when cookie domain is set to an IP Apr 19, 2017
@davidism
Copy link
Member

davidism commented May 12, 2017

@untitaker can you make a decision on this?

@untitaker
Copy link
Contributor

untitaker commented May 12, 2017 via email

@davidism
Copy link
Member

davidism commented May 12, 2017

Setting SESSION_COOKIE_DOMAIN = '127.0.0.1:5000' works fine. The issue is when it's detected through SERVER_NAME instead, in which case Flask adds a '.' before the "domain", which Chrome doesn't like (rightly so, an IP isn't a domain). We can just use the is_ip function to decide to remove the '.' prefix and things will work as expected.

@davidism
Copy link
Member

davidism commented May 13, 2017
edited
Loading

I don't like running is_ip for every request when ideally domain will not be an IP.

@davidism davidism mentioned this pull request May 14, 2017
Merged
@davidism
Copy link
Member

davidism commented May 14, 2017

Continued in #2282.

@davidism davidism closed this May 14, 2017
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ThiefMaster ThiefMaster ThiefMaster left review comments

+1 more reviewer

@untitaker untitaker untitaker left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jjoliveira @ThiefMaster @davidism @untitaker @mferreira96