Security
* gh-144125: BytesGenerator will now refuse to serialize (write)
headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and Petr
Viktorin in gh-121650).
* gh-143935: Fixed a bug in the folding of comments when flattening an
email message using a modern email policy. Comments consisting of a
very long sequence of non-foldable characters could trigger a forced
line wrap that omitted the required leading space on the continuation
line, causing the remainder of the comment to be interpreted as a new
header field. This enabled header injection with carefully crafted
inputs.
* gh-143925: Reject control characters in data: URL media types.
* gh-143919: Reject control characters in http.cookies.Morsel fields
and values.
* gh-143916: Reject C0 control characters within wsgiref.headers.Headers
fields, values, and parameters.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>