Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch

Reject control characters in http cookies (bsc#1257031, CVE-2026-0672).
2026-01-29 14:05:31 +01:00
parent 79a850acd8
commit 057996f99f
3 changed files with 189 additions and 0 deletions
--- a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
+++ b/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
@@ -0,0 +1,183 @@
+From 19ca21e044a9485c85b08aab297a5cbb8680b8d1 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 15:23:42 -0600
+Subject: [PATCH] gh-143919: Reject control characters in http cookies (cherry
+ picked from commit 95746b3a13a985787ef53b977129041971ed7f70)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Bartosz Sławecki <bartosz@ilikepython.com>
+Co-authored-by: sobolevn <mail@sobolevn.me>
+---
+ Doc/library/http.cookies.rst                                             |    4 
+ Lib/http/cookies.py                                                      |   25 ++++
+ Lib/test/test_http_cookies.py                                            |   52 +++++++++-
+ Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst |    1 
+ 4 files changed, 73 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
+
+Index: Python-3.13.11/Doc/library/http.cookies.rst
+===================================================================
+--- Python-3.13.11.orig/Doc/library/http.cookies.rst	2025-12-05 17:06:33.000000000 +0100
+++ Python-3.13.11/Doc/library/http.cookies.rst	2026-01-30 14:44:25.305782794 +0100
+@@ -275,9 +275,9 @@
+    Set-Cookie: chips=ahoy
+    Set-Cookie: vienna=finger
+    >>> C = cookies.SimpleCookie()
+-   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
+   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
+    >>> print(C)
+-   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
+   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
+    >>> C = cookies.SimpleCookie()
+    >>> C["oreo"] = "doublestuff"
+    >>> C["oreo"]["path"] = "/"
+Index: Python-3.13.11/Lib/http/cookies.py
+===================================================================
+--- Python-3.13.11.orig/Lib/http/cookies.py	2025-12-05 17:06:33.000000000 +0100
+++ Python-3.13.11/Lib/http/cookies.py	2026-01-30 14:44:25.306003494 +0100
+@@ -87,9 +87,9 @@
+ such trickeries do not confuse it.
+ 
+    >>> C = cookies.SimpleCookie()
+-   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
+   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
+    >>> print(C)
+-   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
+   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
+ 
+ Each element of the Cookie also supports all of the RFC 2109
+ Cookie attributes.  Here's an example which sets the Path
+@@ -170,6 +170,15 @@
+ })
+ 
+ _is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch
+_control_character_re = re.compile(r'[\x00-\x1F\x7F]')
+
+
+def _has_control_character(*val):
+    """Detects control characters within a value.
+    Supports any type, as header values can be any type.
+    """
+    return any(_control_character_re.search(str(v)) for v in val)
+
+ 
+ def _quote(str):
+     r"""Quote a string for use in a cookie header.
+@@ -292,12 +301,16 @@
+         K = K.lower()
+         if not K in self._reserved:
+             raise CookieError("Invalid attribute %r" % (K,))
+        if _has_control_character(K, V):
+            raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}")
+         dict.__setitem__(self, K, V)
+ 
+     def setdefault(self, key, val=None):
+         key = key.lower()
+         if key not in self._reserved:
+             raise CookieError("Invalid attribute %r" % (key,))
+        if _has_control_character(key, val):
+            raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,))
+         return dict.setdefault(self, key, val)
+ 
+     def __eq__(self, morsel):
+@@ -333,6 +346,9 @@
+             raise CookieError('Attempt to set a reserved key %r' % (key,))
+         if not _is_legal_key(key):
+             raise CookieError('Illegal key %r' % (key,))
+        if _has_control_character(key, val, coded_val):
+            raise CookieError(
+                "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,))
+ 
+         # It's a good key, so save it.
+         self._key = key
+@@ -486,7 +502,10 @@
+         result = []
+         items = sorted(self.items())
+         for key, value in items:
+-            result.append(value.output(attrs, header))
+            value_output = value.output(attrs, header)
+            if _has_control_character(value_output):
+                raise CookieError("Control characters are not allowed in cookies")
+            result.append(value_output)
+         return sep.join(result)
+ 
+     __str__ = output
+Index: Python-3.13.11/Lib/test/test_http_cookies.py
+===================================================================
+--- Python-3.13.11.orig/Lib/test/test_http_cookies.py	2025-12-05 17:06:33.000000000 +0100
+++ Python-3.13.11/Lib/test/test_http_cookies.py	2026-01-30 14:44:25.306223496 +0100
+@@ -18,10 +18,10 @@
+              'repr': "<SimpleCookie: chips='ahoy' vienna='finger'>",
+              'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'},
+ 
+-            {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"',
+-             'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'},
+-             'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=\\n;'>''',
+-             'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'},
+            {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"',
+             'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'},
+             'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=;'>''',
+             'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'},
+ 
+             # Check illegal cookies that have an '=' char in an unquoted value
+             {'data': 'keebler=E=mc2',
+@@ -564,6 +564,50 @@
+                 r'Set-Cookie: key=coded_val; '
+                 r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+')
+ 
+    def test_control_characters(self):
+        for c0 in support.control_characters_c0():
+            morsel = cookies.Morsel()
+
+            # .__setitem__()
+            with self.assertRaises(cookies.CookieError):
+                morsel[c0] = "val"
+            with self.assertRaises(cookies.CookieError):
+                morsel["path"] = c0
+
+            # .setdefault()
+            with self.assertRaises(cookies.CookieError):
+                morsel.setdefault("path", c0)
+            with self.assertRaises(cookies.CookieError):
+                morsel.setdefault(c0, "val")
+
+            # .set()
+            with self.assertRaises(cookies.CookieError):
+                morsel.set(c0, "val", "coded-value")
+            with self.assertRaises(cookies.CookieError):
+                morsel.set("path", c0, "coded-value")
+            with self.assertRaises(cookies.CookieError):
+                morsel.set("path", "val", c0)
+
+    def test_control_characters_output(self):
+        # Tests that even if the internals of Morsel are modified
+        # that a call to .output() has control character safeguards.
+        for c0 in support.control_characters_c0():
+            morsel = cookies.Morsel()
+            morsel.set("key", "value", "coded-value")
+            morsel._key = c0  # Override private variable.
+            cookie = cookies.SimpleCookie()
+            cookie["cookie"] = morsel
+            with self.assertRaises(cookies.CookieError):
+                cookie.output()
+
+            morsel = cookies.Morsel()
+            morsel.set("key", "value", "coded-value")
+            morsel._coded_value = c0  # Override private variable.
+            cookie = cookies.SimpleCookie()
+            cookie["cookie"] = morsel
+            with self.assertRaises(cookies.CookieError):
+                cookie.output()
+
+ 
+ def load_tests(loader, tests, pattern):
+     tests.addTest(doctest.DocTestSuite(cookies))
+Index: Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst	2026-01-30 14:44:25.306394608 +0100
+@@ -0,0 +1 @@
+Reject control characters in :class:`http.cookies.Morsel` fields and values.
--- a/python313.changes
+++ b/python313.changes
@@ -7,6 +7,9 @@ Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
 - Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
  parens when folding comments in email headers (bsc#1257029,
  CVE-2025-11468).
+- Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch, which
+  rejects control characters in http cookies (bsc#1257031,
+  CVE-2026-0672).

 -------------------------------------------------------------------
 Thu Dec 11 21:36:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
--- a/python313.spec
+++ b/python313.spec
@@ -245,6 +245,9 @@ Patch49:        CVE-2024-6923-follow-up-EOL-email-headers.patch
 # PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com
 # Email preserve parens when folding comments
 Patch50:        CVE-2025-11468-email-hdr-fold-comment.patch
+# PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 mcepl@suse.com
+# Reject control characters in http cookies
+Patch51:        CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
 #### END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake