Описание
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python3.14 | fixed | 3.14.3-1 | package | |
| python3.13 | fixed | 3.13.12-1 | package | |
| python3.11 | removed | package | ||
| python3.9 | removed | package | ||
| pypy3 | unfixed | package | ||
| pypy3 | no-dsa | trixie | package | |
| pypy3 | no-dsa | bookworm | package | |
| pypy3 | postponed | bullseye | package |
Примечания
https://github.com/python/cpython/pull/143920
https://github.com/python/cpython/issues/143919
https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/
https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70
https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 (3.14 branch)
https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca (3.13 branch)
https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85 (3.11 branch)
https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d (3.10 branch)
Связанные уязвимости
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.