Files
python312/CVE-2026-0865-wsgiref-ctrl-chars.patch

97 lines
4.5 KiB
Diff
Raw Permalink Normal View History

Fix eight bugs (mostly rejecting ctrl chars in various protocols) CVE-2025-11468: to preserve parens when folding comments. (bsc#1257029, gh#python/cpython#143935) CVE-2025-11468-email-hdr-fold-comment.patch CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch CVE-2025-13836: to prevent reading an HTTP response from Content-Length per default as the length. (bsc#1254400, gh#python/cpython#119451) CVE-2025-13836-http-resp-cont-len.patch CVE-2025-12084: prevent quadratic behavior in node ID cache clearing. (bsc#1254997, gh#python/cpython#142145) CVE-2025-12084-minidom-quad-search.patch CVE-2025-13837: protect against OOM when loading malicious content. (bsc#1254401, gh#python/cpython#119342) CVE-2025-13837-plistlib-mailicious-length.patch - gh-99242: os.getloadavg() may throw OSError when running regression tests under certain conditions (e.g. chroot). This error is now caught and ignored, since reporting load average is optional. - gh-121160: Add a test for readline.set_history_length(). Note that this test may fail on readline libraries. - gh-121200: Fix test_expanduser_pwd2() of test_posixpath. Call getpwnam() to get pw_dir, since it can be different than getpwall() pw_dir. Patch by Victor Stinner. - gh-121188: When creating the JUnit XML file, regrtest now escapes characters which are invalid in XML, such as the chr(27) control character used in ANSI escape sequences. Patch by Victor Stinner. - CVE-2026-1299 and CVE-2024-6923: email headers with embedded newlines are now quoted on output. The generator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in bsc#1228780, gh-121650; bsc#1257181, gh-121650). - gh-120495: Fix incorrect exception handling in Tab Nanny. Patch by Wulian233. would produce incorrect results if type parameters in a class scope were overridden by assignments in a class scope and from __future__ import annotations semantics were - gh-81936: help() and showtopic() methods now respect a configured output argument to pydoc.Helper and not use the pager in such cases. Patch by Enrico Tröger. - gh-119577: The DeprecationWarning emitted when testing the truth value of an xml.etree.ElementTree.Element now - gh-121871: Documentation HTML varies from timestamp. Patch by Bernhard M. Wiedemann (bsc#1227999). - gh-122029: Emit c_call events in sys.setprofile() when a PyMethodObject pointing to a PyCFunction is called. modification of a list object, where one thread assigns a slice and another clears it. bytes and bytearray objects when using protocol version 5. Patch by Bénédikt Tran.
2026-02-10 23:12:15 +01:00
From 03a7342c9e2bbdab20a6d882bf334608dc7a5d4b Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <68491+gpshead@users.noreply.github.com>
Date: Sat, 17 Jan 2026 10:23:57 -0800
Subject: [PATCH] [3.12] gh-143916: Reject control characters in
wsgiref.headers.Headers (GH-143917) (GH-143973)
gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917)
* Add 'test.support' fixture for C0 control characters
* gh-143916: Reject control characters in wsgiref.headers.Headers
(cherry picked from commit f7fceed79ca1bceae8dbe5ba5bc8928564da7211)
(cherry picked from commit 22e4d55285cee52bc4dbe061324e5f30bd4dee58)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
---
Lib/test/support/__init__.py | 7 +++++
Lib/test/test_wsgiref.py | 12 +++++++++-
Lib/wsgiref/headers.py | 3 ++
Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst | 2 +
4 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
Index: Python-3.12.12/Lib/test/support/__init__.py
===================================================================
--- Python-3.12.12.orig/Lib/test/support/__init__.py 2026-02-10 22:15:04.163026806 +0100
+++ Python-3.12.12/Lib/test/support/__init__.py 2026-02-10 22:17:57.451276662 +0100
@@ -2591,3 +2591,10 @@
if self.iter_raises:
1/0
return self
+
+
+def control_characters_c0() -> list[str]:
+ """Returns a list of C0 control characters as strings.
+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
+ """
+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
Index: Python-3.12.12/Lib/test/test_wsgiref.py
===================================================================
--- Python-3.12.12.orig/Lib/test/test_wsgiref.py 2026-02-10 22:15:06.432657502 +0100
+++ Python-3.12.12/Lib/test/test_wsgiref.py 2026-02-10 22:17:57.451566378 +0100
@@ -1,6 +1,6 @@
from unittest import mock
from test import support
-from test.support import socket_helper
+from test.support import socket_helper, control_characters_c0
from test.test_httpservers import NoLogRequestHandler
from unittest import TestCase
from wsgiref.util import setup_testing_defaults
@@ -503,6 +503,16 @@
'\r\n'
)
+ def testRaisesControlCharacters(self):
+ headers = Headers()
+ for c0 in control_characters_c0():
+ self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
+ self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}")
+ self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
+ self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param")
+ self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}")
+
+
class ErrorHandler(BaseCGIHandler):
"""Simple handler subclass for testing BaseHandler"""
Index: Python-3.12.12/Lib/wsgiref/headers.py
===================================================================
--- Python-3.12.12.orig/Lib/wsgiref/headers.py 2026-02-10 22:15:06.773169140 +0100
+++ Python-3.12.12/Lib/wsgiref/headers.py 2026-02-10 22:17:57.451729575 +0100
@@ -9,6 +9,7 @@
# existence of which force quoting of the parameter value.
import re
tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
+_control_chars_re = re.compile(r'[\x00-\x1F\x7F]')
def _formatparam(param, value=None, quote=1):
"""Convenience function to format and return a key=value pair.
@@ -41,6 +42,8 @@
def _convert_string_type(self, value):
"""Convert/check value type."""
if type(value) is str:
+ if _control_chars_re.search(value):
+ raise ValueError("Control characters not allowed in headers")
return value
raise AssertionError("Header names/values must be"
" of type str (got {0})".format(repr(value)))
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst 2026-02-10 22:17:57.451848490 +0100
@@ -0,0 +1,2 @@
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
+and parameters.