git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Victor Stinner <vstinner@python.org>
	Sat, 27 Jun 2026 18:00:01 +0000 (20:00 +0200)
committer	GitHub <noreply@github.com>
	Sat, 27 Jun 2026 18:00:01 +0000 (20:00 +0200)
commit	556aa098e738b127c714866f819b4abe2f7593d8
tree	43472783c5847f0a54e517ef822ed7e3576f7a7c	tree \| snapshot
parent	58703ec1bdd1eb075e8b01a0c427683ce594dd3e	commit \| diff

[3.10] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (#145600) (#146027)

* gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (#145600)

Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4)

* Update Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
---------

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>

Lib/http/cookies.py		diff \| blob \| blame \| history
Lib/test/test_http_cookies.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst	[new file with mode: 0644]	blob