Security bug fixes
-
When a
Request
object with cookies defined gets a redirect response causing a newRequest
object to be scheduled, the cookies defined in the originalRequest
object are no longer copied into the newRequest
object.If you manually set the
Cookie
header on aRequest
object and the domain name of the redirect URL is not an exact match for the domain of the URL of the originalRequest
object, yourCookie
header is now dropped from the newRequest
object.The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the cjvr-mfj7-j4j8 security advisory for more
information.Note: It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g.
example.com
and any subdomain) by defining the shared domain suffix (e.g.example.com
) as the cookie domain when defining your cookies. See the documentation of theRequest
class for more information. -
When the domain of a cookie, either received in the
Set-Cookie
header of a response or defined in aRequest
object, is set to apublic suffix <https://publicsuffix.org/>
_, the cookie is now ignored unless the cookie domain is the same as the request domain.The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the mfjm-vh54-3f96 security advisory for more information.