forked from pool/python314
fix(CVE-2026-0672-http-hdr-inject-cookie-Morsel): add test.support.control_characters_c0
This commit is contained in:
@@ -13,15 +13,16 @@ Co-authored-by: sobolevn <mail@sobolevn.me>
|
||||
---
|
||||
Doc/library/http.cookies.rst | 4
|
||||
Lib/http/cookies.py | 25 ++++
|
||||
Lib/test/support/__init__.py | 10 +
|
||||
Lib/test/test_http_cookies.py | 52 +++++++++-
|
||||
Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1
|
||||
4 files changed, 73 insertions(+), 9 deletions(-)
|
||||
5 files changed, 82 insertions(+), 10 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
|
||||
|
||||
Index: Python-3.14.2/Doc/library/http.cookies.rst
|
||||
===================================================================
|
||||
--- Python-3.14.2.orig/Doc/library/http.cookies.rst 2025-12-05 17:49:16.000000000 +0100
|
||||
+++ Python-3.14.2/Doc/library/http.cookies.rst 2026-01-29 14:10:49.541240012 +0100
|
||||
+++ Python-3.14.2/Doc/library/http.cookies.rst 2026-01-30 14:25:26.265077841 +0100
|
||||
@@ -292,9 +292,9 @@
|
||||
Set-Cookie: chips=ahoy
|
||||
Set-Cookie: vienna=finger
|
||||
@@ -36,8 +37,8 @@ Index: Python-3.14.2/Doc/library/http.cookies.rst
|
||||
>>> C["oreo"]["path"] = "/"
|
||||
Index: Python-3.14.2/Lib/http/cookies.py
|
||||
===================================================================
|
||||
--- Python-3.14.2.orig/Lib/http/cookies.py 2026-01-29 14:10:43.692250194 +0100
|
||||
+++ Python-3.14.2/Lib/http/cookies.py 2026-01-29 14:10:49.541387681 +0100
|
||||
--- Python-3.14.2.orig/Lib/http/cookies.py 2026-01-30 14:25:21.316524119 +0100
|
||||
+++ Python-3.14.2/Lib/http/cookies.py 2026-01-30 14:25:26.265560727 +0100
|
||||
@@ -87,9 +87,9 @@
|
||||
such trickeries do not confuse it.
|
||||
|
||||
@@ -105,10 +106,35 @@ Index: Python-3.14.2/Lib/http/cookies.py
|
||||
return sep.join(result)
|
||||
|
||||
__str__ = output
|
||||
Index: Python-3.14.2/Lib/test/support/__init__.py
|
||||
===================================================================
|
||||
--- Python-3.14.2.orig/Lib/test/support/__init__.py 2026-01-30 14:25:22.035209804 +0100
|
||||
+++ Python-3.14.2/Lib/test/support/__init__.py 2026-01-30 14:26:31.354376277 +0100
|
||||
@@ -68,7 +68,8 @@
|
||||
"BrokenIter",
|
||||
"in_systemd_nspawn_sync_suppressed",
|
||||
"run_no_yield_async_fn", "run_yielding_async_fn", "async_yield",
|
||||
- "reset_code", "on_github_actions"
|
||||
+ "reset_code", "on_github_actions",
|
||||
+ "control_characters_c0",
|
||||
]
|
||||
|
||||
|
||||
@@ -3185,3 +3186,10 @@
|
||||
return _linked_to_musl
|
||||
_linked_to_musl = tuple(map(int, version.split('.')))
|
||||
return _linked_to_musl
|
||||
+
|
||||
+
|
||||
+def control_characters_c0() -> list[str]:
|
||||
+ """Returns a list of C0 control characters as strings.
|
||||
+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
|
||||
+ """
|
||||
+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
|
||||
Index: Python-3.14.2/Lib/test/test_http_cookies.py
|
||||
===================================================================
|
||||
--- Python-3.14.2.orig/Lib/test/test_http_cookies.py 2026-01-29 14:10:45.256577882 +0100
|
||||
+++ Python-3.14.2/Lib/test/test_http_cookies.py 2026-01-29 14:10:49.541565806 +0100
|
||||
--- Python-3.14.2.orig/Lib/test/test_http_cookies.py 2026-01-30 14:25:22.919203244 +0100
|
||||
+++ Python-3.14.2/Lib/test/test_http_cookies.py 2026-01-30 14:25:26.265943668 +0100
|
||||
@@ -17,10 +17,10 @@
|
||||
'repr': "<SimpleCookie: chips='ahoy' vienna='finger'>",
|
||||
'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'},
|
||||
@@ -178,6 +204,6 @@ Index: Python-3.14.2/Lib/test/test_http_cookies.py
|
||||
Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-29 14:10:49.541701772 +0100
|
||||
+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-30 14:25:26.266224501 +0100
|
||||
@@ -0,0 +1 @@
|
||||
+Reject control characters in :class:`http.cookies.Morsel` fields and values.
|
||||
|
||||
Reference in New Issue
Block a user