From e5495e2b21d60734000df53ba8fa0d86bc43110e5f4385cc9f53fdbc1b52fc12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Wed, 4 Feb 2026 16:58:21 +0100
Subject: [PATCH] Fix CVE-2025-15282 (bsc#1257046)

Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046
  (CVE-2025-15282) using gh#python/cpython!143926 and doing
  basically the same as the previous patch for urllib library.
---
 CVE-2025-15282-urllib-ctrl-chars.patch | 59 ++++++++++++++++++++++++++
 python315.changes                      |  3 ++
 python315.spec                         |  3 ++
 3 files changed, 65 insertions(+)
 create mode 100644 CVE-2025-15282-urllib-ctrl-chars.patch

diff --git a/CVE-2025-15282-urllib-ctrl-chars.patch b/CVE-2025-15282-urllib-ctrl-chars.patch
new file mode 100644
index 0000000..c8c1e53
--- /dev/null
+++ b/CVE-2025-15282-urllib-ctrl-chars.patch
@@ -0,0 +1,59 @@
+From d8850aac54c234201966c66e83225564302cd15c Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 16 Jan 2026 10:54:09 -0600
+Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
+
+---
+ Lib/test/test_urllib.py                                                  |    8 ++++++++
+ Lib/urllib/request.py                                                    |    5 +++++
+ Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst |    1 +
+ 3 files changed, 14 insertions(+)
+
+Index: Python-3.15.0a3/Lib/test/test_urllib.py
+===================================================================
+--- Python-3.15.0a3.orig/Lib/test/test_urllib.py	2026-02-04 16:57:42.070871001 +0100
++++ Python-3.15.0a3/Lib/test/test_urllib.py	2026-02-04 16:57:49.106800440 +0100
+@@ -10,6 +10,7 @@
+ from test import support
+ from test.support import os_helper
+ from test.support import socket_helper
++from test.support import control_characters_c0
+ import os
+ import socket
+ try:
+@@ -590,6 +591,13 @@
+         # missing padding character
+         self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
+ 
++    def test_invalid_mediatype(self):
++        for c0 in control_characters_c0():
++            self.assertRaises(ValueError,urllib.request.urlopen,
++                              f'data:text/html;{c0},data')
++        for c0 in control_characters_c0():
++            self.assertRaises(ValueError,urllib.request.urlopen,
++                              f'data:text/html{c0};base64,ZGF0YQ==')
+ 
+ class urlretrieve_FileTests(unittest.TestCase):
+     """Test urllib.urlretrieve() on local files"""
+Index: Python-3.15.0a3/Lib/urllib/request.py
+===================================================================
+--- Python-3.15.0a3.orig/Lib/urllib/request.py	2026-02-04 16:57:42.390604584 +0100
++++ Python-3.15.0a3/Lib/urllib/request.py	2026-02-04 16:57:49.107133794 +0100
+@@ -1634,6 +1634,11 @@
+         scheme, data = url.split(":",1)
+         mediatype, data = data.split(",",1)
+ 
++        # Disallow control characters within mediatype.
++        if re.search(r"[\x00-\x1F\x7F]", mediatype):
++            raise ValueError(
++                "Control characters not allowed in data: mediatype")
++
+         # even base64 encoded data URLs might be quoted so unquote in any case:
+         data = unquote_to_bytes(data)
+         if mediatype.endswith(";base64"):
+Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst	2026-02-04 16:57:49.107422870 +0100
+@@ -0,0 +1 @@
++Reject control characters in ``data:`` URL media types.
diff --git a/python315.changes b/python315.changes
index 7b53ea7..b2aab0c 100644
--- a/python315.changes
+++ b/python315.changes
@@ -12,6 +12,9 @@ Wed Feb  4 00:53:37 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
 - Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044
   (CVE-2025-15366) using gh#python/cpython!143922 and doing
   basically the same as the previous patch for IMAP protocol.
+- Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046
+  (CVE-2025-15282) using gh#python/cpython!143926 and doing
+  basically the same as the previous patch for urllib library.
 
 -------------------------------------------------------------------
 Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
diff --git a/python315.spec b/python315.spec
index 40917bb..ddc53a2 100644
--- a/python315.spec
+++ b/python315.spec
@@ -247,6 +247,9 @@ Patch48:        CVE-2026-0865-wsgiref-ctrl-chars.patch
 # PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
 # Reject control characters in wsgiref.headers.Headers
 Patch49:        CVE-2025-15366-imap-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15282-urllib-ctrl-chars.patch bsc#1257046 mcepl@suse.com
+# Reject control characters in wsgiref.headers.Headers
+Patch50:        CVE-2025-15282-urllib-ctrl-chars.patch
 #### Python 3.15 DEVELOPMENT PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake