forked from pool/python311
Matěj Cepl
02f09793e7
CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch
57 lines
2.4 KiB
Diff
57 lines
2.4 KiB
Diff
From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Fri, 16 Jan 2026 10:54:09 -0600
|
|
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
|
|
|
|
---
|
|
Lib/poplib.py | 2 ++
|
|
Lib/test/test_poplib.py | 8 ++++++++
|
|
Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 +
|
|
3 files changed, 11 insertions(+)
|
|
|
|
Index: Python-3.11.14/Lib/poplib.py
|
|
===================================================================
|
|
--- Python-3.11.14.orig/Lib/poplib.py 2025-10-09 18:16:55.000000000 +0200
|
|
+++ Python-3.11.14/Lib/poplib.py 2026-02-11 23:38:35.281675745 +0100
|
|
@@ -122,6 +122,8 @@
|
|
def _putcmd(self, line):
|
|
if self._debugging: print('*cmd*', repr(line))
|
|
line = bytes(line, self.encoding)
|
|
+ if re.search(b'[\x00-\x1F\x7F]', line):
|
|
+ raise ValueError('Control characters not allowed in commands')
|
|
self._putline(line)
|
|
|
|
|
|
Index: Python-3.11.14/Lib/test/test_poplib.py
|
|
===================================================================
|
|
--- Python-3.11.14.orig/Lib/test/test_poplib.py 2025-10-09 18:16:55.000000000 +0200
|
|
+++ Python-3.11.14/Lib/test/test_poplib.py 2026-02-11 23:39:24.009682813 +0100
|
|
@@ -16,6 +16,7 @@
|
|
from test.support import socket_helper
|
|
from test.support import threading_helper
|
|
from test.support import warnings_helper
|
|
+from test.support import control_characters_c0
|
|
|
|
|
|
asynchat = warnings_helper.import_deprecated('asynchat')
|
|
@@ -367,6 +368,13 @@
|
|
self.assertIsNone(self.client.sock)
|
|
self.assertIsNone(self.client.file)
|
|
|
|
+ def test_control_characters(self):
|
|
+ for c0 in control_characters_c0():
|
|
+ with self.assertRaises(ValueError):
|
|
+ self.client.user(f'user{c0}')
|
|
+ with self.assertRaises(ValueError):
|
|
+ self.client.pass_(f'{c0}pass')
|
|
+
|
|
@requires_ssl
|
|
def test_stls_capa(self):
|
|
capa = self.client.capa()
|
|
Index: Python-3.11.14/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.11.14/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst 2026-02-11 23:38:35.282276228 +0100
|
|
@@ -0,0 +1 @@
|
|
+Reject control characters in POP3 commands.
|