domain_match(A, B) is documented to return True when A has the form NB, i.e. A ends with B (RFC 2965, section 1: "x.y.com domain-matches .Y.com but not Y.com"). It computes i = A.rfind(B) and only rejects i == -1 or i == 0, so a B that appears as an interior substring of A also matches:
>>> from http.cookiejar import domain_match
>>> domain_match("www.acme.com.evil.org", ".acme.com")
Truewww.acme.com.evil.org does not end with .acme.com, so this should be False. The sibling helper user_domain_match() already uses A.endswith(B). This feeds the RFC 2965 (version > 0) cookie domain checks in set_ok_domain/return_ok_domain and is_third_party().
Linked PRs
domain_match(A, B)is documented to return True when A has the form NB, i.e. A ends with B (RFC 2965, section 1: "x.y.com domain-matches .Y.com but not Y.com"). It computesi = A.rfind(B)and only rejectsi == -1ori == 0, so a B that appears as an interior substring of A also matches:www.acme.com.evil.orgdoes not end with.acme.com, so this should be False. The sibling helperuser_domain_match()already usesA.endswith(B). This feeds the RFC 2965 (version > 0) cookie domain checks inset_ok_domain/return_ok_domainandis_third_party().Linked PRs