diff --git a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch b/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch index 71b1f94..76351cc 100644 --- a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch +++ b/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch @@ -13,15 +13,16 @@ Co-authored-by: sobolevn --- Doc/library/http.cookies.rst | 4 Lib/http/cookies.py | 25 ++++ + Lib/test/support/__init__.py | 10 + Lib/test/test_http_cookies.py | 52 +++++++++- Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1 - 4 files changed, 73 insertions(+), 9 deletions(-) + 5 files changed, 82 insertions(+), 10 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst Index: Python-3.14.2/Doc/library/http.cookies.rst =================================================================== --- Python-3.14.2.orig/Doc/library/http.cookies.rst 2025-12-05 17:49:16.000000000 +0100 -+++ Python-3.14.2/Doc/library/http.cookies.rst 2026-01-29 14:10:49.541240012 +0100 ++++ Python-3.14.2/Doc/library/http.cookies.rst 2026-01-30 14:25:26.265077841 +0100 @@ -292,9 +292,9 @@ Set-Cookie: chips=ahoy Set-Cookie: vienna=finger @@ -36,8 +37,8 @@ Index: Python-3.14.2/Doc/library/http.cookies.rst >>> C["oreo"]["path"] = "/" Index: Python-3.14.2/Lib/http/cookies.py =================================================================== ---- Python-3.14.2.orig/Lib/http/cookies.py 2026-01-29 14:10:43.692250194 +0100 -+++ Python-3.14.2/Lib/http/cookies.py 2026-01-29 14:10:49.541387681 +0100 +--- Python-3.14.2.orig/Lib/http/cookies.py 2026-01-30 14:25:21.316524119 +0100 ++++ Python-3.14.2/Lib/http/cookies.py 2026-01-30 14:25:26.265560727 +0100 @@ -87,9 +87,9 @@ such trickeries do not confuse it. @@ -105,10 +106,35 @@ Index: Python-3.14.2/Lib/http/cookies.py return sep.join(result) __str__ = output +Index: Python-3.14.2/Lib/test/support/__init__.py +=================================================================== +--- Python-3.14.2.orig/Lib/test/support/__init__.py 2026-01-30 14:25:22.035209804 +0100 ++++ Python-3.14.2/Lib/test/support/__init__.py 2026-01-30 14:26:31.354376277 +0100 +@@ -68,7 +68,8 @@ + "BrokenIter", + "in_systemd_nspawn_sync_suppressed", + "run_no_yield_async_fn", "run_yielding_async_fn", "async_yield", +- "reset_code", "on_github_actions" ++ "reset_code", "on_github_actions", ++ "control_characters_c0", + ] + + +@@ -3185,3 +3186,10 @@ + return _linked_to_musl + _linked_to_musl = tuple(map(int, version.split('.'))) + return _linked_to_musl ++ ++ ++def control_characters_c0() -> list[str]: ++ """Returns a list of C0 control characters as strings. ++ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F. ++ """ ++ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"] Index: Python-3.14.2/Lib/test/test_http_cookies.py =================================================================== ---- Python-3.14.2.orig/Lib/test/test_http_cookies.py 2026-01-29 14:10:45.256577882 +0100 -+++ Python-3.14.2/Lib/test/test_http_cookies.py 2026-01-29 14:10:49.541565806 +0100 +--- Python-3.14.2.orig/Lib/test/test_http_cookies.py 2026-01-30 14:25:22.919203244 +0100 ++++ Python-3.14.2/Lib/test/test_http_cookies.py 2026-01-30 14:25:26.265943668 +0100 @@ -17,10 +17,10 @@ 'repr': "", 'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'}, @@ -178,6 +204,6 @@ Index: Python-3.14.2/Lib/test/test_http_cookies.py Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-29 14:10:49.541701772 +0100 ++++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-30 14:25:26.266224501 +0100 @@ -0,0 +1 @@ +Reject control characters in :class:`http.cookies.Morsel` fields and values.