git.ipfire.org Git - thirdparty/Python/cpython.git/commit

[3.11] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600) (#146026)

* gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600)

Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.
(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4)

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
* Update Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
---------

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Sun, 28 Jun 2026 22:16:33 +0000 (00:16 +0200)
committer	GitHub <noreply@github.com>
	Sun, 28 Jun 2026 22:16:33 +0000 (23:16 +0100)
commit	dae4b1a21f8df4570e30986affd61bbe4ade4cef
tree	1df5b231dca096f3302d107f8119dd2347a87128	tree \| snapshot
parent	f86064e0b87d974ec8db6bc841721695fed43b88	commit \| diff

Lib/http/cookies.py		diff \| blob \| blame \| history
Lib/test/test_http_cookies.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst	[new file with mode: 0644]	blob