show warning if session cookie domain is ip

closes #2007
8 years ago · c3d49e29ea
2 changed files with 25 additions and 1 deletions
--- a/flask/helpers.py
+++ b/flask/helpers.py
@ -976,3 +976,23 @@ def total_seconds(td):
    :rtype: int
    """
    return td.days * 60 * 60 * 24 + td.seconds
+
+def is_ip(ip):
+    """Returns the if the string received is an IP or not.
+
+    :param string: the string to check if it an IP or not
+    :param var_name: the name of the string that is being checked
+
+    :returns: True if string is an IP, False if not
+    :rtype: boolean
+    """
+    import socket
+
+    for family in (socket.AF_INET, socket.AF_INET6):
+        try:
+            socket.inet_pton(family, ip)
+        except socket.error:
+            pass
+        else:
+            return True
+    return False
--- a/flask/sessions.py
+++ b/flask/sessions.py
@ -11,13 +11,14 @@

 import uuid
 import hashlib
+from warnings import warn
 from base64 import b64encode, b64decode
 from datetime import datetime
 from werkzeug.http import http_date, parse_date
 from werkzeug.datastructures import CallbackDict
 from . import Markup, json
 from ._compat import iteritems, text_type
-from .helpers import total_seconds
+from .helpers import total_seconds, is_ip

 from itsdangerous import URLSafeTimedSerializer, BadSignature

@ -336,6 +337,9 @@ class SecureCookieSessionInterface(SessionInterface):

    def save_session(self, app, session, response):
        domain = self.get_cookie_domain(app)
+        if domain is not None:
+            if is_ip(domain):
+                warnings.warn("IP introduced in SESSION_COOKIE_DOMAIN", RuntimeWarning)
        path = self.get_cookie_path(app)

        # Delete case.  If there is no session we bail early.