File CVE-2025-15282-urllib-ctrl-chars.patch of Package python310

From d6c6f0880dbc6ffd770b859087f4cd749a1d0dbb Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Tue, 20 Jan 2026 14:45:58 -0600
Subject: [PATCH] [3.10] gh-143925: Reject control characters in data: URL
 mediatypes (cherry picked from commit
 f25509e78e8be6ea73c811ac2b8c928c28841b9f) (cherry picked from commit
 2c9c746077d8119b5bcf5142316992e464594946)

Co-authored-by: Seth Michael Larson <seth@python.org>
---
 Lib/test/test_urllib.py                                                  |    8 ++++++++
 Lib/urllib/request.py                                                    |    5 +++++
 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst |    1 +
 3 files changed, 14 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst

Index: Python-3.10.19/Lib/test/test_urllib.py
===================================================================
--- Python-3.10.19.orig/Lib/test/test_urllib.py	2026-02-12 01:05:56.127447144 +0100
+++ Python-3.10.19/Lib/test/test_urllib.py	2026-02-12 01:08:02.226352573 +0100
@@ -11,6 +11,7 @@
 from test import support
 from test.support import os_helper
 from test.support import warnings_helper
+from test.support import control_characters_c0
 import os
 try:
     import ssl
@@ -683,6 +684,13 @@
         # missing padding character
         self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
 
+    def test_invalid_mediatype(self):
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html;{c0},data')
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html{c0};base64,ZGF0YQ==')
 
 class urlretrieve_FileTests(unittest.TestCase):
     """Test urllib.urlretrieve() on local files"""
Index: Python-3.10.19/Lib/urllib/request.py
===================================================================
--- Python-3.10.19.orig/Lib/urllib/request.py	2026-02-12 01:05:56.627830069 +0100
+++ Python-3.10.19/Lib/urllib/request.py	2026-02-12 01:08:02.226810828 +0100
@@ -1654,6 +1654,11 @@
         scheme, data = url.split(":",1)
         mediatype, data = data.split(",",1)
 
+        # Disallow control characters within mediatype.
+        if re.search(r"[\x00-\x1F\x7F]", mediatype):
+            raise ValueError(
+                "Control characters not allowed in data: mediatype")
+
         # even base64 encoded data URLs might be quoted so unquote in any case:
         data = unquote_to_bytes(data)
         if mediatype.endswith(";base64"):
Index: Python-3.10.19/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.10.19/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst	2026-02-12 01:08:02.227192287 +0100
@@ -0,0 +1 @@
+Reject control characters in ``data:`` URL media types.