diff --git a/00487-fixup-for-CVE-2026-6019.patch b/00487-fixup-for-CVE-2026-6019.patch new file mode 100644 index 0000000..6390ec9 --- /dev/null +++ b/00487-fixup-for-CVE-2026-6019.patch @@ -0,0 +1,124 @@ +From 4f17f6e04534d93fbd23862f9f290d3a281ab30b Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 5 Jun 2026 10:50:14 +0200 +Subject: [PATCH] [3.14] gh-149144: Use decodeURIComponent() for UTF-8 support + in js_output() (GH-149157) + +(cherry picked from commit 461b1d96313de02992d284c1782be9aff24586c9) + +Co-authored-by: Seth Larson +--- + Lib/http/cookies.py | 6 +++--- + Lib/test/test_http_cookies.py | 27 ++++++++++++++------------- + 2 files changed, 17 insertions(+), 16 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 5c5b14788dc2f09..abebb4b69fd05f4 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -391,18 +391,18 @@ def __repr__(self): + return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) + + def js_output(self, attrs=None): +- import base64 ++ import urllib.parse + # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") + # Base64-encode value to avoid template + # injection in cookie values. +- output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") ++ output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8') + return """ + + """ % (output_encoded,) +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 4884b07c95b9c50..3ace949afd403eb 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -1,11 +1,11 @@ + # Simple test suite for http/cookies.py +-import base64 + import copy + import unittest + import doctest + from http import cookies + import pickle + from test import support ++import urllib.parse + + + class CookieTests(unittest.TestCase): +@@ -152,19 +152,19 @@ def test_load(self): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') ++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme; Version=1', safe='', encoding='utf-8') + self.assertEqual(C.js_output(), fr""" + + """) +- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') ++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme', safe='', encoding='utf-8') + self.assertEqual(C.js_output(['path']), fr""" + + """) +@@ -269,19 +269,19 @@ def test_quoted_meta(self): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', safe='', encoding='utf-8') + self.assertEqual(C.js_output(), fr""" + + """) +- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', encoding='utf-8') + self.assertEqual(C.js_output(['path']), fr""" + + """) +@@ -372,13 +372,14 @@ def test_setter(self): + self.assertEqual( + M.output(), + "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) +- expected_encoded_cookie = base64.b64encode( +- ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") +- ).decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote( ++ "%s=%s; Path=/foo" % (i, "%s_coded_val" % i), ++ safe='', encoding='utf-8', ++ ) + expected_js_output = """ + + """ % (expected_encoded_cookie,) diff --git a/python3.14.spec b/python3.14.spec index 027b225..3bdc59c 100644 --- a/python3.14.spec +++ b/python3.14.spec @@ -437,6 +437,12 @@ Patch475: 00475-cve-2025-15367.patch # direct call to the check function. Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch +# 00487 # +# Fixup for CVE-2026-6019 +# Use decodeURIComponent() for UTF-8 support in js_output() +# Resolved upstream: https://github.com/python/cpython/issues/149144 +Patch487: 00487-fixup-for-CVE-2026-6019.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc.,