forked from pool/python315
Fix CVE-2025-15282 (bsc#1257046)
Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046 (CVE-2025-15282) using gh#python/cpython!143926 and doing basically the same as the previous patch for urllib library.
This commit is contained in:
59
CVE-2025-15282-urllib-ctrl-chars.patch
Normal file
59
CVE-2025-15282-urllib-ctrl-chars.patch
Normal file
@@ -0,0 +1,59 @@
|
||||
From d8850aac54c234201966c66e83225564302cd15c Mon Sep 17 00:00:00 2001
|
||||
From: Seth Michael Larson <seth@python.org>
|
||||
Date: Fri, 16 Jan 2026 10:54:09 -0600
|
||||
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
|
||||
|
||||
---
|
||||
Lib/test/test_urllib.py | 8 ++++++++
|
||||
Lib/urllib/request.py | 5 +++++
|
||||
Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst | 1 +
|
||||
3 files changed, 14 insertions(+)
|
||||
|
||||
Index: Python-3.15.0a3/Lib/test/test_urllib.py
|
||||
===================================================================
|
||||
--- Python-3.15.0a3.orig/Lib/test/test_urllib.py 2026-02-04 16:57:42.070871001 +0100
|
||||
+++ Python-3.15.0a3/Lib/test/test_urllib.py 2026-02-04 16:57:49.106800440 +0100
|
||||
@@ -10,6 +10,7 @@
|
||||
from test import support
|
||||
from test.support import os_helper
|
||||
from test.support import socket_helper
|
||||
+from test.support import control_characters_c0
|
||||
import os
|
||||
import socket
|
||||
try:
|
||||
@@ -590,6 +591,13 @@
|
||||
# missing padding character
|
||||
self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
|
||||
|
||||
+ def test_invalid_mediatype(self):
|
||||
+ for c0 in control_characters_c0():
|
||||
+ self.assertRaises(ValueError,urllib.request.urlopen,
|
||||
+ f'data:text/html;{c0},data')
|
||||
+ for c0 in control_characters_c0():
|
||||
+ self.assertRaises(ValueError,urllib.request.urlopen,
|
||||
+ f'data:text/html{c0};base64,ZGF0YQ==')
|
||||
|
||||
class urlretrieve_FileTests(unittest.TestCase):
|
||||
"""Test urllib.urlretrieve() on local files"""
|
||||
Index: Python-3.15.0a3/Lib/urllib/request.py
|
||||
===================================================================
|
||||
--- Python-3.15.0a3.orig/Lib/urllib/request.py 2026-02-04 16:57:42.390604584 +0100
|
||||
+++ Python-3.15.0a3/Lib/urllib/request.py 2026-02-04 16:57:49.107133794 +0100
|
||||
@@ -1634,6 +1634,11 @@
|
||||
scheme, data = url.split(":",1)
|
||||
mediatype, data = data.split(",",1)
|
||||
|
||||
+ # Disallow control characters within mediatype.
|
||||
+ if re.search(r"[\x00-\x1F\x7F]", mediatype):
|
||||
+ raise ValueError(
|
||||
+ "Control characters not allowed in data: mediatype")
|
||||
+
|
||||
# even base64 encoded data URLs might be quoted so unquote in any case:
|
||||
data = unquote_to_bytes(data)
|
||||
if mediatype.endswith(";base64"):
|
||||
Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst 2026-02-04 16:57:49.107422870 +0100
|
||||
@@ -0,0 +1 @@
|
||||
+Reject control characters in ``data:`` URL media types.
|
||||
@@ -12,6 +12,9 @@ Wed Feb 4 00:53:37 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
|
||||
- Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044
|
||||
(CVE-2025-15366) using gh#python/cpython!143922 and doing
|
||||
basically the same as the previous patch for IMAP protocol.
|
||||
- Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046
|
||||
(CVE-2025-15282) using gh#python/cpython!143926 and doing
|
||||
basically the same as the previous patch for urllib library.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
@@ -247,6 +247,9 @@ Patch48: CVE-2026-0865-wsgiref-ctrl-chars.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
|
||||
# Reject control characters in wsgiref.headers.Headers
|
||||
Patch49: CVE-2025-15366-imap-ctrl-chars.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-15282-urllib-ctrl-chars.patch bsc#1257046 mcepl@suse.com
|
||||
# Reject control characters in wsgiref.headers.Headers
|
||||
Patch50: CVE-2025-15282-urllib-ctrl-chars.patch
|
||||
#### Python 3.15 DEVELOPMENT PATCHES
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
|
||||
Reference in New Issue
Block a user