rpms/python3.14
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixup for CVE-2026-6019

Browse Source 
Related: RHEL-176147
This commit is contained in:
Charalampos Stratakis 2026-06-09 17:39:48 +02:00
parent 87a6dd2b48
commit 7b3248d1cd
2 changed files with 130 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
00487-fixup-for-CVE-2026-6019.patch Normal file
View File

@ -0,0 +1,124 @@
From 4f17f6e04534d93fbd23862f9f290d3a281ab30b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Fri, 5 Jun 2026 10:50:14 +0200
Subject: [PATCH] [3.14] gh-149144: Use decodeURIComponent() for UTF-8 support
in js_output() (GH-149157)
(cherry picked from commit 461b1d96313de02992d284c1782be9aff24586c9)
Co-authored-by: Seth Larson <seth@python.org>
---
Lib/http/cookies.py | 6 +++---
Lib/test/test_http_cookies.py | 27 ++++++++++++++-------------
2 files changed, 17 insertions(+), 16 deletions(-)
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 5c5b14788dc2f09..abebb4b69fd05f4 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -391,18 +391,18 @@ def __repr__(self):
return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
def js_output(self, attrs=None):
- import base64
+ import urllib.parse
# Print javascript
output_string = self.OutputString(attrs)
if _has_control_character(output_string):
raise CookieError("Control characters are not allowed in cookies")
# Base64-encode value to avoid template
# injection in cookie values.
- output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii")
+ output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8')
return """
<script type="text/javascript">
<!-- begin hiding
- document.cookie = atob(\"%s\");
+ document.cookie = decodeURIComponent(\"%s\");
// end hiding -->
</script>
""" % (output_encoded,)
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 4884b07c95b9c50..3ace949afd403eb 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -1,11 +1,11 @@
# Simple test suite for http/cookies.py
-import base64
import copy
import unittest
import doctest
from http import cookies
import pickle
from test import support
+import urllib.parse
class CookieTests(unittest.TestCase):
@@ -152,19 +152,19 @@ def test_load(self):
self.assertEqual(C.output(['path']),
'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii')
+ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme; Version=1', safe='', encoding='utf-8')
self.assertEqual(C.js_output(), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = atob("{cookie_encoded}");
+ document.cookie = decodeURIComponent("{cookie_encoded}");
// end hiding -->
</script>
""")
- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii')
+ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme', safe='', encoding='utf-8')
self.assertEqual(C.js_output(['path']), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = atob("{cookie_encoded}");
+ document.cookie = decodeURIComponent("{cookie_encoded}");
// end hiding -->
</script>
""")
@@ -269,19 +269,19 @@ def test_quoted_meta(self):
self.assertEqual(C.output(['path']),
'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii')
+ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', safe='', encoding='utf-8')
self.assertEqual(C.js_output(), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = atob("{expected_encoded_cookie}");
+ document.cookie = decodeURIComponent("{expected_encoded_cookie}");
// end hiding -->
</script>
""")
- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii')
+ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', encoding='utf-8')
self.assertEqual(C.js_output(['path']), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = atob("{expected_encoded_cookie}");
+ document.cookie = decodeURIComponent("{expected_encoded_cookie}");
// end hiding -->
</script>
""")
@@ -372,13 +372,14 @@ def test_setter(self):
self.assertEqual(
M.output(),
"Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i))
- expected_encoded_cookie = base64.b64encode(
- ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii")
- ).decode('ascii')
+ expected_encoded_cookie = urllib.parse.quote(
+ "%s=%s; Path=/foo" % (i, "%s_coded_val" % i),
+ safe='', encoding='utf-8',
+ )
expected_js_output = """
<script type="text/javascript">
<!-- begin hiding
- document.cookie = atob("%s");
+ document.cookie = decodeURIComponent("%s");
// end hiding -->
</script>
""" % (expected_encoded_cookie,)

6
python3.14.spec
View File

@ -437,6 +437,12 @@ Patch475: 00475-cve-2025-15367.patch
# direct call to the check function.
Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
# 00487 #
# Fixup for CVE-2026-6019
# Use decodeURIComponent() for UTF-8 support in js_output()
# Resolved upstream: https://github.com/python/cpython/issues/149144
Patch487: 00487-fixup-for-CVE-2026-6019.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,