Untriaged
Header injection in http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
References
- https://github.com/python/cpython/pull/143920 patch
- https://github.com/python/cpython/issues/143919 issue-tracking
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQ… vendor-advisory
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f… patch
- https://github.com/python/cpython/pull/143920 patch
- https://github.com/python/cpython/issues/143919 issue-tracking
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQ… vendor-advisory
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f… patch
- https://github.com/python/cpython/pull/143920 patch
- https://github.com/python/cpython/issues/143919 issue-tracking
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQ… vendor-advisory
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f… patch
- https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa4… patch
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f… patch
- https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa4… patch
- https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f1… patch
- https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba… patch
- https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756… patch
- https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e… patch
- https://github.com/python/cpython/pull/143920 patch
- https://github.com/python/cpython/issues/143919 issue-tracking
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQ… vendor-advisory
- https://github.com/python/cpython/pull/143920 patch
- https://github.com/python/cpython/issues/143919 issue-tracking
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQ… vendor-advisory
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f… patch
- https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa4… patch
- https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f1… patch
- https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba… patch
- https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756… patch
- https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e… patch
- https://github.com/python/cpython/pull/143920 patch
- https://github.com/python/cpython/issues/143919 issue-tracking
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQ… vendor-advisory
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f… patch
- https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa4… patch
- https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f1… patch
- https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba… patch
- https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756… patch
- https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e… patch
Affected products
CPython
- <3.13.12
- <3.14.3
- <3.15.0a6
- <3.15.0
Matching in nixpkgs
pkgs.haskellPackages.cpython
Bindings for libpython
Package maintainers
-
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>