From d46a4974216debdd3566b4594e7d02a4370202a7 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Date: Mon, 16 Mar 2026 13:43:43 +0000 Subject: [PATCH 1/2] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (#145600) Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`. Co-authored-by: Victor Stinner Co-authored-by: Victor Stinner (cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4) --- Lib/http/cookies.py | 9 ++ Lib/test/test_http_cookies.py | 31 ++++++++++ Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst | 4 + 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst Index: Python-3.4.10/Lib/http/cookies.py =================================================================== --- Python-3.4.10.orig/Lib/http/cookies.py 2026-03-23 22:17:29.446168539 +0100 +++ Python-3.4.10/Lib/http/cookies.py 2026-03-23 22:38:57.227059854 +0100 @@ -351,6 +351,19 @@ ) dict.__setitem__(self, K, V) + def update(self, values=None, **kwargs): + if values is not None: + if hasattr(values, 'items'): + values = values.items() + for K, V in values: + self[K] = V + for K, V in kwargs.items(): + self[K] = V + + def __ior__(self, values): + self.update(values) + return self + def isReservedKey(self, K): return K.lower() in self._reserved @@ -390,13 +403,16 @@ def js_output(self, attrs=None): # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") return """ - """ % (self.OutputString(attrs).replace('"', r'\"')) + """ % (output_string.replace('"', r'\"')) def OutputString(self, attrs=None): # Build up our result Index: Python-3.4.10/Lib/test/test_http_cookies.py =================================================================== --- Python-3.4.10.orig/Lib/test/test_http_cookies.py 2026-03-23 22:17:29.446618298 +0100 +++ Python-3.4.10/Lib/test/test_http_cookies.py 2026-03-23 22:38:57.228059855 +0100 @@ -321,6 +321,18 @@ with self.assertRaises(cookies.CookieError): morsel.set("path", "val", c0) + # .update() + with self.assertRaises(cookies.CookieError): + morsel.update({"path": c0}) + with self.assertRaises(cookies.CookieError): + morsel.update({c0: "val"}) + + # .__ior__() + with self.assertRaises(cookies.CookieError): + morsel |= {"path": c0} + with self.assertRaises(cookies.CookieError): + morsel |= {c0: "val"} + def test_control_characters_output(self): # Tests that even if the internals of Morsel are modified # that a call to .output() has control character safeguards. @@ -342,6 +354,25 @@ cookie.output() + # Tests that .js_output() also has control character safeguards. + for c0 in control_characters_c0(): + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel.key = c0 # Override internal variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.js_output() + + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel.coded_value = c0 # Override internal variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.js_output() + + def test_main(): run_unittest(CookieTests, MorselTests) run_doctest(cookies) Index: Python-3.4.10/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.4.10/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst 2026-03-23 22:17:29.521016192 +0100 @@ -0,0 +1,4 @@ +Reject control characters in :class:`http.cookies.Morsel` +:meth:`~http.cookies.Morsel.update` and +:meth:`~http.cookies.BaseCookie.js_output`. +This addresses `CVE-2026-3644 `_.