File CVE-2026-3644-cookies-Morsel-update-II.patch of Package python.43465

From d46a4974216debdd3566b4594e7d02a4370202a7 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Date: Mon, 16 Mar 2026 13:43:43 +0000
Subject: [PATCH 1/2] gh-145599, CVE 2026-3644: Reject control characters in
 `http.cookies.Morsel.update()` (#145600)

Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4)
---
 Lib/Cookie.py                                                            |   18 +++++
 Lib/test/test_cookie.py                                                  |   32 ++++++++++
 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst |    4 +
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst

Index: Python-2.7.18/Lib/Cookie.py
===================================================================
--- Python-2.7.18.orig/Lib/Cookie.py	2026-03-23 22:03:05.820221618 +0100
+++ Python-2.7.18/Lib/Cookie.py	2026-03-23 22:49:25.185734580 +0100
@@ -446,6 +446,19 @@
         dict.__setitem__(self, K, V)
     # end __setitem__
 
+    def update(self, values=None, **kwargs):
+        if values is not None:
+            if hasattr(values, 'items'):
+                values = values.items()
+            for K, V in values:
+                self[K] = V
+        for K, V in kwargs.items():
+            self[K] = V
+
+    def __ior__(self, values):
+        self.update(values)
+        return self
+
     def isReservedKey(self, K):
         return K.lower() in self._reserved
     # end isReservedKey
@@ -489,13 +502,16 @@
 
     def js_output(self, attrs=None):
         # Print javascript
+        output_string = self.OutputString(attrs)
+        if _has_control_character(output_string):
+            raise CookieError("Control characters are not allowed in cookies")
         return """
         <script type="text/javascript">
         <!-- begin hiding
         document.cookie = \"%s\";
         // end hiding -->
         </script>
-        """ % ( self.OutputString(attrs).replace('"',r'\"'), )
+        """ % ( output_string.replace('"',r'\"'), )
     # end js_output()
 
     def OutputString(self, attrs=None):
Index: Python-2.7.18/Lib/test/test_cookie.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_cookie.py	2026-03-23 22:03:05.820625690 +0100
+++ Python-2.7.18/Lib/test/test_cookie.py	2026-03-23 23:35:51.713202102 +0100
@@ -232,6 +232,19 @@
             with self.assertRaises(Cookie.CookieError):
                 morsel.set("path", "val", c0)
 
+            # .update()
+            with self.assertRaises(Cookie.CookieError):
+                morsel.update({"path": c0})
+            with self.assertRaises(Cookie.CookieError):
+                morsel.update({c0: "val"})
+
+            # .__ior__()
+            with self.assertRaises(Cookie.CookieError):
+                morsel |= {"path": c0}
+            with self.assertRaises(Cookie.CookieError):
+                morsel |= {c0: "val"}
+
+
     def test_control_characters_output(self):
         # Tests that even if the internals of Morsel are modified
         # that a call to .output() has control character safeguards.
@@ -253,6 +266,25 @@
                 cookie.output()
 
 
+        # Tests that .js_output() also has control character safeguards.
+        for c0 in control_characters_c0():
+            morsel = Cookie.Morsel()
+            morsel.set("key", "value", "coded-value")
+            morsel.key = c0  # Override internal variable.
+            cookie = Cookie.SimpleCookie()
+            cookie["cookie"] = morsel
+            with self.assertRaises(Cookie.CookieError):
+                cookie.js_output()
+
+            morsel = Cookie.Morsel()
+            morsel.set("key", "value", "coded-value")
+            morsel.coded_value = c0  # Override internal variable.
+            cookie = Cookie.SimpleCookie()
+            cookie["cookie"] = morsel
+            with self.assertRaises(Cookie.CookieError):
+                cookie.js_output()
+
+
 def test_main():
     run_unittest(CookieTests)
     if Cookie.__doc__ is not None:
Index: Python-2.7.18/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-2.7.18/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst	2026-03-23 22:03:05.856774702 +0100
@@ -0,0 +1,4 @@
+Reject control characters in :class:`http.cookies.Morsel`
+:meth:`~http.cookies.Morsel.update` and
+:meth:`~http.cookies.BaseCookie.js_output`.
+This addresses `CVE-2026-3644 <https://www.cve.org/CVERecord?id=CVE-2026-3644>`_.