python-interpreters/python315
SHA256
6
0
Fork 0
forked from pool/python315
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch

Browse Source 
Reject control characters in http cookies (bsc#1257031, CVE-2026-0672).
This commit is contained in:
Matej Cepl
2026-01-29 14:05:31 +01:00
parent 53765ad497
commit 6995744826
3 changed files with 197 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch Normal file
View File

@@ -0,0 +1,191 @@
From ef01008e47a7741808ab223087a458f33e4dd922 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/5] Add 'test.support' fixture for C0 control characters
---
Doc/library/http.cookies.rst | 4
Lib/http/cookies.py | 25 ++++
Lib/test/support/__init__.py | 7 +
Lib/test/test_http_cookies.py | 52 +++++++++-
Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1
5 files changed, 80 insertions(+), 9 deletions(-)
Index: Python-3.15.0a3/Doc/library/http.cookies.rst
===================================================================
--- Python-3.15.0a3.orig/Doc/library/http.cookies.rst 2025-12-16 13:26:12.000000000 +0100
+++ Python-3.15.0a3/Doc/library/http.cookies.rst 2026-01-29 14:05:16.590570536 +0100
@@ -294,9 +294,9 @@
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger
>>> C = cookies.SimpleCookie()
- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
>>> print(C)
- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
>>> C = cookies.SimpleCookie()
>>> C["oreo"] = "doublestuff"
>>> C["oreo"]["path"] = "/"
Index: Python-3.15.0a3/Lib/http/cookies.py
===================================================================
--- Python-3.15.0a3.orig/Lib/http/cookies.py 2026-01-29 14:04:58.842924007 +0100
+++ Python-3.15.0a3/Lib/http/cookies.py 2026-01-29 14:05:16.590357855 +0100
@@ -87,9 +87,9 @@
such trickeries do not confuse it.
>>> C = cookies.SimpleCookie()
- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
>>> print(C)
- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
Each element of the Cookie also supports all of the RFC 2109
Cookie attributes. Here's an example which sets the Path
@@ -170,6 +170,15 @@
})
_is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch
+_control_character_re = re.compile(r'[\x00-\x1F\x7F]')
+
+
+def _has_control_character(*val):
+ """Detects control characters within a value.
+ Supports any type, as header values can be any type.
+ """
+ return any(_control_character_re.search(str(v)) for v in val)
+
def _quote(str):
r"""Quote a string for use in a cookie header.
@@ -294,12 +303,16 @@
K = K.lower()
if not K in self._reserved:
raise CookieError("Invalid attribute %r" % (K,))
+ if _has_control_character(K, V):
+ raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}")
dict.__setitem__(self, K, V)
def setdefault(self, key, val=None):
key = key.lower()
if key not in self._reserved:
raise CookieError("Invalid attribute %r" % (key,))
+ if _has_control_character(key, val):
+ raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,))
return dict.setdefault(self, key, val)
def __eq__(self, morsel):
@@ -335,6 +348,9 @@
raise CookieError('Attempt to set a reserved key %r' % (key,))
if not _is_legal_key(key):
raise CookieError('Illegal key %r' % (key,))
+ if _has_control_character(key, val, coded_val):
+ raise CookieError(
+ "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,))
# It's a good key, so save it.
self._key = key
@@ -488,7 +504,10 @@
result = []
items = sorted(self.items())
for key, value in items:
- result.append(value.output(attrs, header))
+ value_output = value.output(attrs, header)
+ if _has_control_character(value_output):
+ raise CookieError("Control characters are not allowed in cookies")
+ result.append(value_output)
return sep.join(result)
__str__ = output
Index: Python-3.15.0a3/Lib/test/support/__init__.py
===================================================================
--- Python-3.15.0a3.orig/Lib/test/support/__init__.py 2026-01-29 14:04:59.594499984 +0100
+++ Python-3.15.0a3/Lib/test/support/__init__.py 2026-01-29 14:05:16.588221721 +0100
@@ -3272,3 +3272,10 @@
return _linked_to_musl
_linked_to_musl = tuple(map(int, version.split('.')))
return _linked_to_musl
+
+
+def control_characters_c0() -> list[str]:
+ """Returns a list of C0 control characters as strings.
+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
+ """
+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
Index: Python-3.15.0a3/Lib/test/test_http_cookies.py
===================================================================
--- Python-3.15.0a3.orig/Lib/test/test_http_cookies.py 2026-01-29 14:05:00.455994675 +0100
+++ Python-3.15.0a3/Lib/test/test_http_cookies.py 2026-01-29 14:05:16.590146527 +0100
@@ -17,10 +17,10 @@
'repr': "<SimpleCookie: chips='ahoy' vienna='finger'>",
'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'},
- {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"',
- 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'},
- 'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=\\n;'>''',
- 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'},
+ {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"',
+ 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'},
+ 'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=;'>''',
+ 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'},
# Check illegal cookies that have an '=' char in an unquoted value
{'data': 'keebler=E=mc2',
@@ -594,6 +594,50 @@
r'Set-Cookie: key=coded_val; '
r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+')
+ def test_control_characters(self):
+ for c0 in support.control_characters_c0():
+ morsel = cookies.Morsel()
+
+ # .__setitem__()
+ with self.assertRaises(cookies.CookieError):
+ morsel[c0] = "val"
+ with self.assertRaises(cookies.CookieError):
+ morsel["path"] = c0
+
+ # .setdefault()
+ with self.assertRaises(cookies.CookieError):
+ morsel.setdefault("path", c0)
+ with self.assertRaises(cookies.CookieError):
+ morsel.setdefault(c0, "val")
+
+ # .set()
+ with self.assertRaises(cookies.CookieError):
+ morsel.set(c0, "val", "coded-value")
+ with self.assertRaises(cookies.CookieError):
+ morsel.set("path", c0, "coded-value")
+ with self.assertRaises(cookies.CookieError):
+ morsel.set("path", "val", c0)
+
+ def test_control_characters_output(self):
+ # Tests that even if the internals of Morsel are modified
+ # that a call to .output() has control character safeguards.
+ for c0 in support.control_characters_c0():
+ morsel = cookies.Morsel()
+ morsel.set("key", "value", "coded-value")
+ morsel._key = c0 # Override private variable.
+ cookie = cookies.SimpleCookie()
+ cookie["cookie"] = morsel
+ with self.assertRaises(cookies.CookieError):
+ cookie.output()
+
+ morsel = cookies.Morsel()
+ morsel.set("key", "value", "coded-value")
+ morsel._coded_value = c0 # Override private variable.
+ cookie = cookies.SimpleCookie()
+ cookie["cookie"] = morsel
+ with self.assertRaises(cookies.CookieError):
+ cookie.output()
+
def load_tests(loader, tests, pattern):
tests.addTest(doctest.DocTestSuite(cookies))
Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-29 14:05:16.589009315 +0100
@@ -0,0 +1 @@
+Reject control characters in :class:`http.cookies.Morsel` fields and values.

3
python315.changes
View File

@@ -7,6 +7,9 @@ Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
parens when folding comments in email headers (bsc#1257029,
CVE-2025-11468).
- Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch, which
rejects control characters in http cookies (bsc#1257031,
CVE-2026-0672).
-------------------------------------------------------------------
Wed Jan 21 18:02:37 UTC 2026 - Matej Cepl <mcepl@cepl.eu>

3
python315.spec
View File

@@ -235,6 +235,9 @@ Patch44: CVE-2024-6923-follow-up-EOL-email-headers.patch
# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com
# Email preserve parens when folding comments
Patch45: CVE-2025-11468-email-hdr-fold-comment.patch
# PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 mcepl@suse.com
# Reject control characters in http cookies
Patch46: CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
#### Python 3.15 DEVELOPMENT PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake