From: Seth Michael Larson <seth@python.org>
Date: Tue, 20 Jan 2026 20:45:58 +0000 (-0600)
Subject: gh-143925: Reject control characters in data: URL mediatypes
X-Git-Tag: archive/raspbian/3.9.2-1+rpi1+deb11u6^2~4
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com//%22mailto:g.real.ate%40gmail.com/%22/%22http:/www.example.com/%22mailto:g.real.ate%40gmail.com/%22?a=commitdiff_plain;h=921c6fed011d661b857a564993d71d10fec76b48;p=python3.9.git

gh-143925: Reject control characters in data: URL mediatypes

Origin: upstream, https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f

Gbp-Pq: Name CVE-2025-15282.patch
---

diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 68bb49e..2354f20 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -9,6 +9,7 @@ import io
 import unittest
 from unittest.mock import patch
 from test import support
+from test.support import control_characters_c0
 import os
 try:
     import ssl
@@ -681,6 +682,13 @@ class urlopen_DataTests(unittest.TestCase):
         # missing padding character
         self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
 
+    def test_invalid_mediatype(self):
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html;{c0},data')
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html{c0};base64,ZGF0YQ==')
 
 class urlretrieve_FileTests(unittest.TestCase):
     """Test urllib.urlretrieve() on local files"""
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index af3fb9c..a8463d7 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1653,6 +1653,11 @@ class DataHandler(BaseHandler):
         scheme, data = url.split(":",1)
         mediatype, data = data.split(",",1)
 
+        # Disallow control characters within mediatype.
+        if re.search(r"[\x00-\x1F\x7F]", mediatype):
+            raise ValueError(
+                "Control characters not allowed in data: mediatype")
+
         # even base64 encoded data URLs might be quoted so unquote in any case:
         data = unquote_to_bytes(data)
         if mediatype.endswith(";base64"):
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
new file mode 100644
index 0000000..46109df
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
@@ -0,0 +1 @@
+Reject control characters in ``data:`` URL media types.