forked from pool/python310
Matěj Cepl
539e53b74e
CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch
98 lines
4.2 KiB
Diff
98 lines
4.2 KiB
Diff
From 123bfbbe9074ef7fa28e1e7b25575665296560fa Mon Sep 17 00:00:00 2001
|
|
From: "Gregory P. Smith" <68491+gpshead@users.noreply.github.com>
|
|
Date: Sat, 17 Jan 2026 10:23:57 -0800
|
|
Subject: [PATCH] [3.10] gh-143916: Reject control characters in
|
|
wsgiref.headers.Headers (GH-143917) (GH-143973)
|
|
|
|
gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917)
|
|
|
|
* Add 'test.support' fixture for C0 control characters
|
|
* gh-143916: Reject control characters in wsgiref.headers.Headers
|
|
|
|
(cherry picked from commit f7fceed79ca1bceae8dbe5ba5bc8928564da7211)
|
|
(cherry picked from commit 22e4d55285cee52bc4dbe061324e5f30bd4dee58)
|
|
|
|
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
|
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
|
---
|
|
Lib/test/support/__init__.py | 7 +++++++
|
|
Lib/test/test_wsgiref.py | 12 +++++++++++-
|
|
Lib/wsgiref/headers.py | 3 +++
|
|
.../2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst | 2 ++
|
|
4 files changed, 23 insertions(+), 1 deletion(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
|
|
|
|
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
|
|
index 0d3b9634f10248..d0492fe1914343 100644
|
|
--- a/Lib/test/support/__init__.py
|
|
+++ b/Lib/test/support/__init__.py
|
|
@@ -2157,3 +2157,10 @@ def adjust_int_max_str_digits(max_digits):
|
|
yield
|
|
finally:
|
|
sys.set_int_max_str_digits(current)
|
|
+
|
|
+
|
|
+def control_characters_c0() -> list[str]:
|
|
+ """Returns a list of C0 control characters as strings.
|
|
+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
|
|
+ """
|
|
+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
|
|
diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
|
|
index 42094f467731d4..01ca51ba458587 100644
|
|
--- a/Lib/test/test_wsgiref.py
|
|
+++ b/Lib/test/test_wsgiref.py
|
|
@@ -1,6 +1,6 @@
|
|
from unittest import mock
|
|
from test import support
|
|
-from test.support import socket_helper
|
|
+from test.support import socket_helper, control_characters_c0
|
|
from test.support import warnings_helper
|
|
from test.test_httpservers import NoLogRequestHandler
|
|
from unittest import TestCase
|
|
@@ -527,6 +527,16 @@ def testExtras(self):
|
|
'\r\n'
|
|
)
|
|
|
|
+ def testRaisesControlCharacters(self):
|
|
+ headers = Headers()
|
|
+ for c0 in control_characters_c0():
|
|
+ self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
|
|
+ self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}")
|
|
+ self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
|
|
+ self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param")
|
|
+ self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}")
|
|
+
|
|
+
|
|
class ErrorHandler(BaseCGIHandler):
|
|
"""Simple handler subclass for testing BaseHandler"""
|
|
|
|
diff --git a/Lib/wsgiref/headers.py b/Lib/wsgiref/headers.py
|
|
index fab851c5a44430..fd98e85d75492b 100644
|
|
--- a/Lib/wsgiref/headers.py
|
|
+++ b/Lib/wsgiref/headers.py
|
|
@@ -9,6 +9,7 @@
|
|
# existence of which force quoting of the parameter value.
|
|
import re
|
|
tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
|
|
+_control_chars_re = re.compile(r'[\x00-\x1F\x7F]')
|
|
|
|
def _formatparam(param, value=None, quote=1):
|
|
"""Convenience function to format and return a key=value pair.
|
|
@@ -41,6 +42,8 @@ def __init__(self, headers=None):
|
|
def _convert_string_type(self, value):
|
|
"""Convert/check value type."""
|
|
if type(value) is str:
|
|
+ if _control_chars_re.search(value):
|
|
+ raise ValueError("Control characters not allowed in headers")
|
|
return value
|
|
raise AssertionError("Header names/values must be"
|
|
" of type str (got {0})".format(repr(value)))
|
|
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
|
|
new file mode 100644
|
|
index 00000000000000..44bd0b27059f94
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
|
|
@@ -0,0 +1,2 @@
|
|
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
|
|
+and parameters.
|