dgit.raspbian.org Git - python3.9.git/commit

[PATCH] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (#145600)

Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4)

Origin: other, https://github.com/python/cpython/commit/d46a4974216debdd3566b4594e7d02a4370202a7

Gbp-Pq: Name CVE-2026-3644.patch

author	Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
	Mon, 16 Mar 2026 13:43:43 +0000 (13:43 +0000)
committer	Arnaud Rebillout <arnaudr@debian.org>
	Thu, 14 May 2026 03:00:00 +0000 (10:00 +0700)
commit	2628337a4ed20702a648a1c37e5a1f2ac65fe5ee
tree	45575053bc87a426f5fe8869119f1f7a4ec21afe	tree \| snapshot
parent	a20e7fcb5b131eb6fe3eda4cde32851e2ae4445f	commit \| diff

Lib/http/cookies.py		diff \| blob \| history
Lib/test/test_http_cookies.py		diff \| blob \| history
Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst	[new file with mode: 0644]	blob