forked from pool/python310
Matěj Cepl
539e53b74e
CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch
57 lines
2.5 KiB
Diff
57 lines
2.5 KiB
Diff
From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Fri, 16 Jan 2026 10:54:09 -0600
|
|
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
|
|
|
|
---
|
|
Lib/imaplib.py | 4 +++-
|
|
Lib/test/test_imaplib.py | 6 ++++++
|
|
Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
|
|
3 files changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
Index: Python-3.10.19/Lib/imaplib.py
|
|
===================================================================
|
|
--- Python-3.10.19.orig/Lib/imaplib.py 2026-02-12 01:05:53.821319313 +0100
|
|
+++ Python-3.10.19/Lib/imaplib.py 2026-02-12 01:06:28.558652908 +0100
|
|
@@ -132,7 +132,7 @@
|
|
# We compile these in _mode_xxx.
|
|
_Literal = br'.*{(?P<size>\d+)}$'
|
|
_Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
|
|
-
|
|
+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
|
|
|
|
|
|
class IMAP4:
|
|
@@ -994,6 +994,8 @@
|
|
if arg is None: continue
|
|
if isinstance(arg, str):
|
|
arg = bytes(arg, self._encoding)
|
|
+ if _control_chars.search(arg):
|
|
+ raise ValueError("Control characters not allowed in commands")
|
|
data = data + b' ' + arg
|
|
|
|
literal = self.literal
|
|
Index: Python-3.10.19/Lib/test/test_imaplib.py
|
|
===================================================================
|
|
--- Python-3.10.19.orig/Lib/test/test_imaplib.py 2026-02-12 01:05:55.293033311 +0100
|
|
+++ Python-3.10.19/Lib/test/test_imaplib.py 2026-02-12 01:07:45.387053336 +0100
|
|
@@ -538,6 +538,12 @@
|
|
self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
|
|
self.assertEqual(client.state, 'AUTH')
|
|
|
|
+ def test_control_characters(self):
|
|
+ client, _ = self._setup(SimpleIMAPHandler)
|
|
+ for c0 in support.control_characters_c0():
|
|
+ with self.assertRaises(ValueError):
|
|
+ client.login(f'user{c0}', 'pass')
|
|
+
|
|
|
|
class NewIMAPTests(NewIMAPTestsMixin, unittest.TestCase):
|
|
imap_class = imaplib.IMAP4
|
|
Index: Python-3.10.19/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.10.19/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-02-12 01:06:28.559224837 +0100
|
|
@@ -0,0 +1 @@
|
|
+Reject control characters in IMAP commands.
|