forked from pool/python312
Matěj Cepl
07beab470d
CVE-2025-11468: to preserve parens when folding comments.
(bsc#1257029, gh#python/cpython#143935)
CVE-2025-11468-email-hdr-fold-comment.patch
CVE-2025-12781: fix decoding with non-standard Base64 alphabet
(bsc#1257108, gh#python/cpython#125346)
CVE-2025-12781-b64decode-alt-chars.patch
CVE-2026-0672: rejects control characters in http cookies.
(bsc#1257031, gh#python/cpython#143919)
CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
CVE-2026-0865: rejecting control characters in
wsgiref.headers.Headers, which could be abused for injecting
false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
CVE-2026-0865-wsgiref-ctrl-chars.patch
CVE-2025-15366: basically the same as the previous patch for
IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
CVE-2025-15366-imap-ctrl-chars.patch
CVE-2025-15282: basically the same as the previous patch for
urllib library. (bsc#1257046, gh#python/cpython#143925)
CVE-2025-15282-urllib-ctrl-chars.patch
CVE-2025-15367: basically the same as the previous patch for
poplib library. (bsc#1257041, gh#python/cpython#143923)
CVE-2025-15367-poplib-ctrl-chars.patch
CVE-2025-13836: to prevent reading an HTTP response from
Content-Length per default as the length. (bsc#1254400,
gh#python/cpython#119451)
CVE-2025-13836-http-resp-cont-len.patch
CVE-2025-12084: prevent quadratic behavior in node ID cache
clearing. (bsc#1254997, gh#python/cpython#142145)
CVE-2025-12084-minidom-quad-search.patch
CVE-2025-13837: protect against OOM when loading malicious
content. (bsc#1254401, gh#python/cpython#119342)
CVE-2025-13837-plistlib-mailicious-length.patch
- gh-99242: os.getloadavg() may throw OSError when running
regression tests under certain conditions (e.g. chroot).
This error is now caught and ignored, since reporting load
average is optional.
- gh-121160: Add a test for readline.set_history_length().
Note that this test may fail on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of test_posixpath.
Call getpwnam() to get pw_dir, since it can be different
than getpwall() pw_dir. Patch by Victor Stinner.
- gh-121188: When creating the JUnit XML file, regrtest now
escapes characters which are invalid in XML, such as the
chr(27) control character used in ANSI escape sequences.
Patch by Victor Stinner.
- CVE-2026-1299 and CVE-2024-6923: email headers with
embedded newlines are now quoted on output. The generator
will now refuse to serialize (write) headers that are
unsafely folded or delimited; see verify_generated_headers.
(Contributed by Bas Bloemsaat and Petr Viktorin in
bsc#1228780, gh-121650; bsc#1257181, gh-121650).
- gh-120495: Fix incorrect exception handling in Tab Nanny.
Patch by Wulian233.
would produce incorrect results if type parameters in
a class scope were overridden by assignments in a class
scope and from __future__ import annotations semantics were
- gh-81936: help() and showtopic() methods now respect
a configured output argument to pydoc.Helper and not use
the pager in such cases. Patch by Enrico Tröger.
- gh-119577: The DeprecationWarning emitted when testing the
truth value of an xml.etree.ElementTree.Element now
- gh-121871: Documentation HTML varies from timestamp. Patch
by Bernhard M. Wiedemann (bsc#1227999).
- gh-122029: Emit c_call events in sys.setprofile() when
a PyMethodObject pointing to a PyCFunction is called.
modification of a list object, where one thread assigns
a slice and another clears it.
bytes and bytearray objects when using protocol version 5.
Patch by Bénédikt Tran.
97 lines
4.5 KiB
Diff
97 lines
4.5 KiB
Diff
From 03a7342c9e2bbdab20a6d882bf334608dc7a5d4b Mon Sep 17 00:00:00 2001
|
|
From: "Gregory P. Smith" <68491+gpshead@users.noreply.github.com>
|
|
Date: Sat, 17 Jan 2026 10:23:57 -0800
|
|
Subject: [PATCH] [3.12] gh-143916: Reject control characters in
|
|
wsgiref.headers.Headers (GH-143917) (GH-143973)
|
|
|
|
gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917)
|
|
|
|
* Add 'test.support' fixture for C0 control characters
|
|
* gh-143916: Reject control characters in wsgiref.headers.Headers
|
|
|
|
(cherry picked from commit f7fceed79ca1bceae8dbe5ba5bc8928564da7211)
|
|
(cherry picked from commit 22e4d55285cee52bc4dbe061324e5f30bd4dee58)
|
|
|
|
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
|
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
|
---
|
|
Lib/test/support/__init__.py | 7 +++++
|
|
Lib/test/test_wsgiref.py | 12 +++++++++-
|
|
Lib/wsgiref/headers.py | 3 ++
|
|
Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst | 2 +
|
|
4 files changed, 23 insertions(+), 1 deletion(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
|
|
|
|
Index: Python-3.12.12/Lib/test/support/__init__.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/test/support/__init__.py 2026-02-10 22:15:04.163026806 +0100
|
|
+++ Python-3.12.12/Lib/test/support/__init__.py 2026-02-10 22:17:57.451276662 +0100
|
|
@@ -2591,3 +2591,10 @@
|
|
if self.iter_raises:
|
|
1/0
|
|
return self
|
|
+
|
|
+
|
|
+def control_characters_c0() -> list[str]:
|
|
+ """Returns a list of C0 control characters as strings.
|
|
+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
|
|
+ """
|
|
+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
|
|
Index: Python-3.12.12/Lib/test/test_wsgiref.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/test/test_wsgiref.py 2026-02-10 22:15:06.432657502 +0100
|
|
+++ Python-3.12.12/Lib/test/test_wsgiref.py 2026-02-10 22:17:57.451566378 +0100
|
|
@@ -1,6 +1,6 @@
|
|
from unittest import mock
|
|
from test import support
|
|
-from test.support import socket_helper
|
|
+from test.support import socket_helper, control_characters_c0
|
|
from test.test_httpservers import NoLogRequestHandler
|
|
from unittest import TestCase
|
|
from wsgiref.util import setup_testing_defaults
|
|
@@ -503,6 +503,16 @@
|
|
'\r\n'
|
|
)
|
|
|
|
+ def testRaisesControlCharacters(self):
|
|
+ headers = Headers()
|
|
+ for c0 in control_characters_c0():
|
|
+ self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
|
|
+ self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}")
|
|
+ self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
|
|
+ self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param")
|
|
+ self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}")
|
|
+
|
|
+
|
|
class ErrorHandler(BaseCGIHandler):
|
|
"""Simple handler subclass for testing BaseHandler"""
|
|
|
|
Index: Python-3.12.12/Lib/wsgiref/headers.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/wsgiref/headers.py 2026-02-10 22:15:06.773169140 +0100
|
|
+++ Python-3.12.12/Lib/wsgiref/headers.py 2026-02-10 22:17:57.451729575 +0100
|
|
@@ -9,6 +9,7 @@
|
|
# existence of which force quoting of the parameter value.
|
|
import re
|
|
tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
|
|
+_control_chars_re = re.compile(r'[\x00-\x1F\x7F]')
|
|
|
|
def _formatparam(param, value=None, quote=1):
|
|
"""Convenience function to format and return a key=value pair.
|
|
@@ -41,6 +42,8 @@
|
|
def _convert_string_type(self, value):
|
|
"""Convert/check value type."""
|
|
if type(value) is str:
|
|
+ if _control_chars_re.search(value):
|
|
+ raise ValueError("Control characters not allowed in headers")
|
|
return value
|
|
raise AssertionError("Header names/values must be"
|
|
" of type str (got {0})".format(repr(value)))
|
|
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst 2026-02-10 22:17:57.451848490 +0100
|
|
@@ -0,0 +1,2 @@
|
|
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
|
|
+and parameters.
|