python311/CVE-2026-0865-wsgiref-ctrl-chars.patch

From 2c84d7875f35d3d1d0fbc170271227cc95752fa5 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <68491+gpshead@users.noreply.github.com>
Date: Sat, 17 Jan 2026 10:23:57 -0800
Subject: [PATCH] [3.11] gh-143916: Reject control characters in
 wsgiref.headers.Headers (GH-143917) (GH-143973)

gh-143916: Reject control characters in wsgiref.headers.Headers  (GH-143917)

* Add 'test.support' fixture for C0 control characters
* gh-143916: Reject control characters in wsgiref.headers.Headers

(cherry picked from commit f7fceed79ca1bceae8dbe5ba5bc8928564da7211)
(cherry picked from commit 22e4d55285cee52bc4dbe061324e5f30bd4dee58)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
---
 Lib/test/support/__init__.py                                             |    7 ++
 Lib/test/test_wsgiref.py                                                 |   18 +++++
 Lib/wsgiref/headers.py                                                   |   34 ++++++----
 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst |    2 
 4 files changed, 47 insertions(+), 14 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst

Index: Python-3.11.14/Lib/test/support/__init__.py
===================================================================
--- Python-3.11.14.orig/Lib/test/support/__init__.py	2026-02-11 23:22:45.373477280 +0100
+++ Python-3.11.14/Lib/test/support/__init__.py	2026-02-11 23:23:25.641652256 +0100
@@ -2294,3 +2294,10 @@
 fails_with_expat_2_6_0 = (unittest.expectedFailure
                           if is_expat_2_6_0
                           else lambda test: test)
+
+
+def control_characters_c0() -> list[str]:
+    """Returns a list of C0 control characters as strings.
+    C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
+    """
+    return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
Index: Python-3.11.14/Lib/test/test_wsgiref.py
===================================================================
--- Python-3.11.14.orig/Lib/test/test_wsgiref.py	2026-02-11 23:22:38.512011986 +0100
+++ Python-3.11.14/Lib/test/test_wsgiref.py	2026-02-11 23:24:19.545119499 +0100
@@ -1,6 +1,6 @@
 from unittest import mock
 from test import support
-from test.support import socket_helper
+from test.support import socket_helper, control_characters_c0
 from test.test_httpservers import NoLogRequestHandler
 from unittest import TestCase
 from wsgiref.util import setup_testing_defaults
@@ -503,6 +503,22 @@
             '\r\n'
         )
 
+    def testRaisesControlCharacters(self):
+        for c0 in control_characters_c0():
+            with self.subTest(c0):
+                headers = Headers()
+                self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
+                self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
+                # HTAB (\x09) is allowed in values, not names.
+                if c0 == "\t":
+                    headers["key"] = f"val{c0}"
+                    headers.add_header("key", f"val{c0}")
+                    headers.setdefault(f"key", f"val{c0}")
+                else:
+                    self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}")
+                    self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param")
+                    self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}")
+
 class ErrorHandler(BaseCGIHandler):
     """Simple handler subclass for testing BaseHandler"""
 
Index: Python-3.11.14/Lib/wsgiref/headers.py
===================================================================
--- Python-3.11.14.orig/Lib/wsgiref/headers.py	2026-02-11 23:22:38.927685306 +0100
+++ Python-3.11.14/Lib/wsgiref/headers.py	2026-02-11 23:24:19.545709612 +0100
@@ -9,6 +9,11 @@
 # existence of which force quoting of the parameter value.
 import re
 tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
+# Disallowed characters for headers and values.
+# HTAB (\x09) is allowed in header values, but
+# not in header names. (RFC 9110 Section 5.5)
+_name_disallowed_re = re.compile(r'[\x00-\x1F\x7F]')
+_value_disallowed_re = re.compile(r'[\x00-\x08\x0A-\x1F\x7F]')
 
 def _formatparam(param, value=None, quote=1):
     """Convenience function to format and return a key=value pair.
@@ -35,12 +40,15 @@
         self._headers = headers
         if __debug__:
             for k, v in headers:
-                self._convert_string_type(k)
-                self._convert_string_type(v)
+                self._convert_string_type(k, name=True)
+                self._convert_string_type(v, name=False)
 
-    def _convert_string_type(self, value):
+    def _convert_string_type(self, value, *, name):
         """Convert/check value type."""
         if type(value) is str:
+            regex = (_name_disallowed_re if name else _value_disallowed_re)
+            if regex.search(value):
+                raise ValueError("Control characters not allowed in headers")
             return value
         raise AssertionError("Header names/values must be"
             " of type str (got {0})".format(repr(value)))
@@ -53,14 +61,14 @@
         """Set the value of a header."""
         del self[name]
         self._headers.append(
-            (self._convert_string_type(name), self._convert_string_type(val)))
+            (self._convert_string_type(name, name=True), self._convert_string_type(val, name=False)))
 
     def __delitem__(self,name):
         """Delete all occurrences of a header, if present.
 
         Does *not* raise an exception if the header is missing.
         """
-        name = self._convert_string_type(name.lower())
+        name = self._convert_string_type(name.lower(), name=True)
         self._headers[:] = [kv for kv in self._headers if kv[0].lower() != name]
 
     def __getitem__(self,name):
@@ -87,13 +95,13 @@
         fields deleted and re-inserted are always appended to the header list.
         If no fields exist with the given name, returns an empty list.
         """
-        name = self._convert_string_type(name.lower())
+        name = self._convert_string_type(name.lower(), name=True)
         return [kv[1] for kv in self._headers if kv[0].lower()==name]
 
 
     def get(self,name,default=None):
         """Get the first header value for 'name', or return 'default'"""
-        name = self._convert_string_type(name.lower())
+        name = self._convert_string_type(name.lower(), name=True)
         for k,v in self._headers:
             if k.lower()==name:
                 return v
@@ -148,8 +156,8 @@
         and value 'value'."""
         result = self.get(name)
         if result is None:
-            self._headers.append((self._convert_string_type(name),
-                self._convert_string_type(value)))
+            self._headers.append((self._convert_string_type(name, name=True),
+                self._convert_string_type(value, name=False)))
             return value
         else:
             return result
@@ -172,13 +180,13 @@
         """
         parts = []
         if _value is not None:
-            _value = self._convert_string_type(_value)
+            _value = self._convert_string_type(_value, name=False)
             parts.append(_value)
         for k, v in _params.items():
-            k = self._convert_string_type(k)
+            k = self._convert_string_type(k, name=True)
             if v is None:
                 parts.append(k.replace('_', '-'))
             else:
-                v = self._convert_string_type(v)
+                v = self._convert_string_type(v, name=False)
                 parts.append(_formatparam(k.replace('_', '-'), v))
-        self._headers.append((self._convert_string_type(_name), "; ".join(parts)))
+        self._headers.append((self._convert_string_type(_name, name=True), "; ".join(parts)))
Index: Python-3.11.14/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.11.14/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst	2026-02-11 23:22:49.891193395 +0100
@@ -0,0 +1,2 @@
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
+and parameters.