CVE-2025-15282-urllib-ctrl-chars.patch

From f336af1c4b103297de1322bbe00f920f3e58b899 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Tue, 20 Jan 2026 14:45:58 -0600
Subject: [PATCH 1/2] [3.12] gh-143925: Reject control characters in data: URL
 mediatypes (cherry picked from commit
 f25509e78e8be6ea73c811ac2b8c928c28841b9f) (cherry picked from commit
 2c9c746077d8119b5bcf5142316992e464594946)

Co-authored-by: Seth Michael Larson <seth@python.org>
---
 Lib/test/test_urllib.py                                                  |    8 ++++++++
 Lib/urllib/request.py                                                    |    5 +++++
 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst |    1 +
 3 files changed, 14 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst

Index: Python-3.12.12/Lib/test/test_urllib.py
===================================================================
--- Python-3.12.12.orig/Lib/test/test_urllib.py	2026-02-10 22:15:06.355594386 +0100
+++ Python-3.12.12/Lib/test/test_urllib.py	2026-02-10 22:18:23.820760279 +0100
@@ -12,6 +12,7 @@
 from test.support import os_helper
 from test.support import socket_helper
 from test.support import warnings_helper
+from test.support import control_characters_c0
 import os
 try:
     import ssl
@@ -688,6 +689,13 @@
         # missing padding character
         self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
 
+    def test_invalid_mediatype(self):
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html;{c0},data')
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html{c0};base64,ZGF0YQ==')
 
 class urlretrieve_FileTests(unittest.TestCase):
     """Test urllib.urlretrieve() on local files"""
Index: Python-3.12.12/Lib/urllib/request.py
===================================================================
--- Python-3.12.12.orig/Lib/urllib/request.py	2026-02-10 22:15:06.739534061 +0100
+++ Python-3.12.12/Lib/urllib/request.py	2026-02-10 22:18:23.819325524 +0100
@@ -1655,6 +1655,11 @@
         scheme, data = url.split(":",1)
         mediatype, data = data.split(",",1)
 
+        # Disallow control characters within mediatype.
+        if re.search(r"[\x00-\x1F\x7F]", mediatype):
+            raise ValueError(
+                "Control characters not allowed in data: mediatype")
+
         # even base64 encoded data URLs might be quoted so unquote in any case:
         data = unquote_to_bytes(data)
         if mediatype.endswith(";base64"):
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst	2026-02-10 22:18:23.819830797 +0100
@@ -0,0 +1 @@
+Reject control characters in ``data:`` URL media types.
Fix eight bugs (mostly rejecting ctrl chars in various protocols) CVE-2025-11468: to preserve parens when folding comments. (bsc#1257029, gh#python/cpython#143935) CVE-2025-11468-email-hdr-fold-comment.patch CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch CVE-2025-13836: to prevent reading an HTTP response from Content-Length per default as the length. (bsc#1254400, gh#python/cpython#119451) CVE-2025-13836-http-resp-cont-len.patch CVE-2025-12084: prevent quadratic behavior in node ID cache clearing. (bsc#1254997, gh#python/cpython#142145) CVE-2025-12084-minidom-quad-search.patch CVE-2025-13837: protect against OOM when loading malicious content. (bsc#1254401, gh#python/cpython#119342) CVE-2025-13837-plistlib-mailicious-length.patch - gh-99242: os.getloadavg() may throw OSError when running regression tests under certain conditions (e.g. chroot). This error is now caught and ignored, since reporting load average is optional. - gh-121160: Add a test for readline.set_history_length(). Note that this test may fail on readline libraries. - gh-121200: Fix test_expanduser_pwd2() of test_posixpath. Call getpwnam() to get pw_dir, since it can be different than getpwall() pw_dir. Patch by Victor Stinner. - gh-121188: When creating the JUnit XML file, regrtest now escapes characters which are invalid in XML, such as the chr(27) control character used in ANSI escape sequences. Patch by Victor Stinner. - CVE-2026-1299 and CVE-2024-6923: email headers with embedded newlines are now quoted on output. The generator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in bsc#1228780, gh-121650; bsc#1257181, gh-121650). - gh-120495: Fix incorrect exception handling in Tab Nanny. Patch by Wulian233. would produce incorrect results if type parameters in a class scope were overridden by assignments in a class scope and from __future__ import annotations semantics were - gh-81936: help() and showtopic() methods now respect a configured output argument to pydoc.Helper and not use the pager in such cases. Patch by Enrico Tröger. - gh-119577: The DeprecationWarning emitted when testing the truth value of an xml.etree.ElementTree.Element now - gh-121871: Documentation HTML varies from timestamp. Patch by Bernhard M. Wiedemann (bsc#1227999). - gh-122029: Emit c_call events in sys.setprofile() when a PyMethodObject pointing to a PyCFunction is called. modification of a list object, where one thread assigns a slice and another clears it. bytes and bytearray objects when using protocol version 5. Patch by Bénédikt Tran. 2026-02-10 23:12:15 +01:00			`From f336af1c4b103297de1322bbe00f920f3e58b899 Mon Sep 17 00:00:00 2001`
			`From: Seth Michael Larson <seth@python.org>`
			`Date: Tue, 20 Jan 2026 14:45:58 -0600`
			`Subject: [PATCH 1/2] [3.12] gh-143925: Reject control characters in data: URL`
			`mediatypes (cherry picked from commit`
			`f25509e78e8be6ea73c811ac2b8c928c28841b9f) (cherry picked from commit`
			`2c9c746077d8119b5bcf5142316992e464594946)`

			`Co-authored-by: Seth Michael Larson <seth@python.org>`
			`---`
			`Lib/test/test_urllib.py \| 8 ++++++++`
			`Lib/urllib/request.py \| 5 +++++`
			`Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst \| 1 +`
			`3 files changed, 14 insertions(+)`
			`create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst`

			`Index: Python-3.12.12/Lib/test/test_urllib.py`
			`===================================================================`
			`--- Python-3.12.12.orig/Lib/test/test_urllib.py 2026-02-10 22:15:06.355594386 +0100`
			`+++ Python-3.12.12/Lib/test/test_urllib.py 2026-02-10 22:18:23.820760279 +0100`
			`@@ -12,6 +12,7 @@`
			`from test.support import os_helper`
			`from test.support import socket_helper`
			`from test.support import warnings_helper`
			`+from test.support import control_characters_c0`
			`import os`
			`try:`
			`import ssl`
			`@@ -688,6 +689,13 @@`
			`# missing padding character`
			`self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')`

			`+ def test_invalid_mediatype(self):`
			`+ for c0 in control_characters_c0():`
			`+ self.assertRaises(ValueError,urllib.request.urlopen,`
			`+ f'data:text/html;{c0},data')`
			`+ for c0 in control_characters_c0():`
			`+ self.assertRaises(ValueError,urllib.request.urlopen,`
			`+ f'data:text/html{c0};base64,ZGF0YQ==')`

			`class urlretrieve_FileTests(unittest.TestCase):`
			`"""Test urllib.urlretrieve() on local files"""`
			`Index: Python-3.12.12/Lib/urllib/request.py`
			`===================================================================`
			`--- Python-3.12.12.orig/Lib/urllib/request.py 2026-02-10 22:15:06.739534061 +0100`
			`+++ Python-3.12.12/Lib/urllib/request.py 2026-02-10 22:18:23.819325524 +0100`
			`@@ -1655,6 +1655,11 @@`
			`scheme, data = url.split(":",1)`
			`mediatype, data = data.split(",",1)`

			`+ # Disallow control characters within mediatype.`
			`+ if re.search(r"[\x00-\x1F\x7F]", mediatype):`
			`+ raise ValueError(`
			`+ "Control characters not allowed in data: mediatype")`
			`+`
			`# even base64 encoded data URLs might be quoted so unquote in any case:`
			`data = unquote_to_bytes(data)`
			`if mediatype.endswith(";base64"):`
			`Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst`
			`===================================================================`
			`--- /dev/null 1970-01-01 00:00:00.000000000 +0000`
			`+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst 2026-02-10 22:18:23.819830797 +0100`
			`@@ -0,0 +1 @@`
			+Reject control characters in ``data:`` URL media types.