python-interpreters/python315
SHA256
6
0
Fork 0
forked from pool/python315
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
factory
python315/CVE-2026-0865-wsgiref-hdrs-EOLs.patch
Matěj Cepl e5855b89e8 Add CVE-2026-0865-wsgiref-hdrs-EOLs.patch fixing bsc#1257042 
(CVE-2026-0865) rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers.
2026-02-04 01:58:39 +01:00

69 lines
3.2 KiB
Diff
Raw Permalink Blame History

From e7f180b4c21576f52c08933a184d84dc4b47e00e Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
---
Lib/test/test_wsgiref.py | 12 +++++++++-
Lib/wsgiref/headers.py | 3 ++
Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst | 2 +
3 files changed, 16 insertions(+), 1 deletion(-)
Index: Python-3.15.0a3/Lib/test/test_wsgiref.py
===================================================================
--- Python-3.15.0a3.orig/Lib/test/test_wsgiref.py 2026-02-04 01:52:45.393433768 +0100
+++ Python-3.15.0a3/Lib/test/test_wsgiref.py 2026-02-04 01:52:52.928458181 +0100
@@ -1,6 +1,6 @@
from unittest import mock
from test import support
-from test.support import socket_helper
+from test.support import socket_helper, control_characters_c0
from test.test_httpservers import NoLogRequestHandler
from unittest import TestCase
from wsgiref.util import setup_testing_defaults
@@ -503,6 +503,16 @@
'\r\n'
)
+ def testRaisesControlCharacters(self):
+ headers = Headers()
+ for c0 in control_characters_c0():
+ self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
+ self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}")
+ self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
+ self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param")
+ self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}")
+
+
class ErrorHandler(BaseCGIHandler):
"""Simple handler subclass for testing BaseHandler"""
Index: Python-3.15.0a3/Lib/wsgiref/headers.py
===================================================================
--- Python-3.15.0a3.orig/Lib/wsgiref/headers.py 2026-02-04 01:52:45.666384529 +0100
+++ Python-3.15.0a3/Lib/wsgiref/headers.py 2026-02-04 01:52:52.928606420 +0100
@@ -9,6 +9,7 @@
# existence of which force quoting of the parameter value.
import re
tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
+_control_chars_re = re.compile(r'[\x00-\x1F\x7F]')
def _formatparam(param, value=None, quote=1):
"""Convenience function to format and return a key=value pair.
@@ -41,6 +42,8 @@
def _convert_string_type(self, value):
"""Convert/check value type."""
if type(value) is str:
+ if _control_chars_re.search(value):
+ raise ValueError("Control characters not allowed in headers")
return value
raise AssertionError("Header names/values must be"
" of type str (got {0})".format(repr(value)))
Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst 2026-02-04 01:52:52.928707130 +0100
@@ -0,0 +1,2 @@
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
+and parameters.
Reference in New Issue View Git Blame Copy Permalink