Warn when cookie domain is set to an IP

flask/helpers.py

@@ -14,6 +14,7 @@
 import pkgutil
 import posixpath
 import mimetypes
+import warnings
 from time import time
 from zlib import adler32
 from threading import RLock
@@ -958,3 +959,33 @@ def total_seconds(td):
     :rtype: int
     """
     return td.days * 60 * 60 * 24 + td.seconds
+
+def is_ip(string, var_name):
+    """Returns the if the string received is an IP or not.
+
+    :param string: the string to check if it an IP or not
+    :param var_name: the name of the variable that is being checked
+
+    :returns: True if string is an IP, False if not
+    :rtype: boolean
+    """
+    ipv4 = string.split('.')
+    ipv6 = string.split(':')
+    try:
+        for i,t in enumerate(ipv6):
+            if not t:
+                ipv6[i] = "0"
+        if(all(int(t,16) >= 0 and int(t,16) <= 65535 for t in ipv6)):
+            print("IPv6 address introduced in " + var_name)
+            return True
+    except ValueError:
+        pass
+
+    if len(ipv4) == 4:
+        try:
+            if(all(int(t) >= 0 and int(t) <= 255 for t in ipv4)):
+                print("IPv4 address introduced in " + var_name)
+        except ValueError:
+            return False
+    else:
+        return False

flask/sessions.py

@@ -17,7 +17,7 @@
 from werkzeug.datastructures import CallbackDict
 from . import Markup, json
 from ._compat import iteritems, text_type
-from .helpers import total_seconds
+from .helpers import total_seconds, is_IP
 
 from itsdangerous import URLSafeTimedSerializer, BadSignature
 
@@ -332,6 +332,8 @@ def open_session(self, app, request):
 
     def save_session(self, app, session, response):
         domain = self.get_cookie_domain(app)
+        if domain != None:
+            is_ip(domain, "SESSION_COOKIE_DOMAIN", self)
         path = self.get_cookie_path(app)
 
         # Delete case.  If there is no session we bail early.