python315/CVE-2025-15282-urllib-ctrl-chars.patch

From d8850aac54c234201966c66e83225564302cd15c Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters

---
 Lib/test/test_urllib.py                                                  |    7 +++++++
 Lib/urllib/request.py                                                    |    5 +++++
 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst |    1 +
 3 files changed, 13 insertions(+)

Index: Python-3.15.0a6/Lib/test/test_urllib.py
===================================================================
--- Python-3.15.0a6.orig/Lib/test/test_urllib.py	2026-02-11 22:31:19.832904633 +0100
+++ Python-3.15.0a6/Lib/test/test_urllib.py	2026-02-11 22:57:02.393345971 +0100
@@ -513,6 +513,13 @@
         self.assertFalse(e.exception.filename)
         self.assertTrue(e.exception.reason)
 
+    def test_invalid_mediatype(self):
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html;{c0},data')
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html{c0};base64,ZGF0YQ==')
 
 class urlopen_DataTests(unittest.TestCase):
     """Test urlopen() opening a data URL."""
Index: Python-3.15.0a6/Lib/urllib/request.py
===================================================================
--- Python-3.15.0a6.orig/Lib/urllib/request.py	2026-02-11 22:31:20.220618979 +0100
+++ Python-3.15.0a6/Lib/urllib/request.py	2026-02-11 22:57:02.393916978 +0100
@@ -1641,6 +1641,11 @@
             raise ValueError(
                 "Control characters not allowed in data: mediatype")
 
+        # Disallow control characters within mediatype.
+        if re.search(r"[\x00-\x1F\x7F]", mediatype):
+            raise ValueError(
+                "Control characters not allowed in data: mediatype")
+
         # even base64 encoded data URLs might be quoted so unquote in any case:
         data = unquote_to_bytes(data)
         if mediatype.endswith(";base64"):
Index: Python-3.15.0a6/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a6/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst	2026-02-11 22:57:02.394304909 +0100
@@ -0,0 +1 @@
+Reject control characters in ``data:`` URL media types.