forked from pool/python312
Matěj Cepl
07beab470d
CVE-2025-11468: to preserve parens when folding comments.
(bsc#1257029, gh#python/cpython#143935)
CVE-2025-11468-email-hdr-fold-comment.patch
CVE-2025-12781: fix decoding with non-standard Base64 alphabet
(bsc#1257108, gh#python/cpython#125346)
CVE-2025-12781-b64decode-alt-chars.patch
CVE-2026-0672: rejects control characters in http cookies.
(bsc#1257031, gh#python/cpython#143919)
CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
CVE-2026-0865: rejecting control characters in
wsgiref.headers.Headers, which could be abused for injecting
false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
CVE-2026-0865-wsgiref-ctrl-chars.patch
CVE-2025-15366: basically the same as the previous patch for
IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
CVE-2025-15366-imap-ctrl-chars.patch
CVE-2025-15282: basically the same as the previous patch for
urllib library. (bsc#1257046, gh#python/cpython#143925)
CVE-2025-15282-urllib-ctrl-chars.patch
CVE-2025-15367: basically the same as the previous patch for
poplib library. (bsc#1257041, gh#python/cpython#143923)
CVE-2025-15367-poplib-ctrl-chars.patch
CVE-2025-13836: to prevent reading an HTTP response from
Content-Length per default as the length. (bsc#1254400,
gh#python/cpython#119451)
CVE-2025-13836-http-resp-cont-len.patch
CVE-2025-12084: prevent quadratic behavior in node ID cache
clearing. (bsc#1254997, gh#python/cpython#142145)
CVE-2025-12084-minidom-quad-search.patch
CVE-2025-13837: protect against OOM when loading malicious
content. (bsc#1254401, gh#python/cpython#119342)
CVE-2025-13837-plistlib-mailicious-length.patch
- gh-99242: os.getloadavg() may throw OSError when running
regression tests under certain conditions (e.g. chroot).
This error is now caught and ignored, since reporting load
average is optional.
- gh-121160: Add a test for readline.set_history_length().
Note that this test may fail on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of test_posixpath.
Call getpwnam() to get pw_dir, since it can be different
than getpwall() pw_dir. Patch by Victor Stinner.
- gh-121188: When creating the JUnit XML file, regrtest now
escapes characters which are invalid in XML, such as the
chr(27) control character used in ANSI escape sequences.
Patch by Victor Stinner.
- CVE-2026-1299 and CVE-2024-6923: email headers with
embedded newlines are now quoted on output. The generator
will now refuse to serialize (write) headers that are
unsafely folded or delimited; see verify_generated_headers.
(Contributed by Bas Bloemsaat and Petr Viktorin in
bsc#1228780, gh-121650; bsc#1257181, gh-121650).
- gh-120495: Fix incorrect exception handling in Tab Nanny.
Patch by Wulian233.
would produce incorrect results if type parameters in
a class scope were overridden by assignments in a class
scope and from __future__ import annotations semantics were
- gh-81936: help() and showtopic() methods now respect
a configured output argument to pydoc.Helper and not use
the pager in such cases. Patch by Enrico Tröger.
- gh-119577: The DeprecationWarning emitted when testing the
truth value of an xml.etree.ElementTree.Element now
- gh-121871: Documentation HTML varies from timestamp. Patch
by Bernhard M. Wiedemann (bsc#1227999).
- gh-122029: Emit c_call events in sys.setprofile() when
a PyMethodObject pointing to a PyCFunction is called.
modification of a list object, where one thread assigns
a slice and another clears it.
bytes and bytearray objects when using protocol version 5.
Patch by Bénédikt Tran.
65 lines
3.1 KiB
Diff
65 lines
3.1 KiB
Diff
From f336af1c4b103297de1322bbe00f920f3e58b899 Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Tue, 20 Jan 2026 14:45:58 -0600
|
|
Subject: [PATCH 1/2] [3.12] gh-143925: Reject control characters in data: URL
|
|
mediatypes (cherry picked from commit
|
|
f25509e78e8be6ea73c811ac2b8c928c28841b9f) (cherry picked from commit
|
|
2c9c746077d8119b5bcf5142316992e464594946)
|
|
|
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
|
---
|
|
Lib/test/test_urllib.py | 8 ++++++++
|
|
Lib/urllib/request.py | 5 +++++
|
|
Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst | 1 +
|
|
3 files changed, 14 insertions(+)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
|
|
|
|
Index: Python-3.12.12/Lib/test/test_urllib.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/test/test_urllib.py 2026-02-10 22:15:06.355594386 +0100
|
|
+++ Python-3.12.12/Lib/test/test_urllib.py 2026-02-10 22:18:23.820760279 +0100
|
|
@@ -12,6 +12,7 @@
|
|
from test.support import os_helper
|
|
from test.support import socket_helper
|
|
from test.support import warnings_helper
|
|
+from test.support import control_characters_c0
|
|
import os
|
|
try:
|
|
import ssl
|
|
@@ -688,6 +689,13 @@
|
|
# missing padding character
|
|
self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
|
|
|
|
+ def test_invalid_mediatype(self):
|
|
+ for c0 in control_characters_c0():
|
|
+ self.assertRaises(ValueError,urllib.request.urlopen,
|
|
+ f'data:text/html;{c0},data')
|
|
+ for c0 in control_characters_c0():
|
|
+ self.assertRaises(ValueError,urllib.request.urlopen,
|
|
+ f'data:text/html{c0};base64,ZGF0YQ==')
|
|
|
|
class urlretrieve_FileTests(unittest.TestCase):
|
|
"""Test urllib.urlretrieve() on local files"""
|
|
Index: Python-3.12.12/Lib/urllib/request.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/urllib/request.py 2026-02-10 22:15:06.739534061 +0100
|
|
+++ Python-3.12.12/Lib/urllib/request.py 2026-02-10 22:18:23.819325524 +0100
|
|
@@ -1655,6 +1655,11 @@
|
|
scheme, data = url.split(":",1)
|
|
mediatype, data = data.split(",",1)
|
|
|
|
+ # Disallow control characters within mediatype.
|
|
+ if re.search(r"[\x00-\x1F\x7F]", mediatype):
|
|
+ raise ValueError(
|
|
+ "Control characters not allowed in data: mediatype")
|
|
+
|
|
# even base64 encoded data URLs might be quoted so unquote in any case:
|
|
data = unquote_to_bytes(data)
|
|
if mediatype.endswith(";base64"):
|
|
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst 2026-02-10 22:18:23.819830797 +0100
|
|
@@ -0,0 +1 @@
|
|
+Reject control characters in ``data:`` URL media types.
|