gh-145599: Reject control characters in http.cookies.Morsel.update() and http.cookies.BaseCookie.js_output

[StanFromIreland]

• Issue: Reject control characters in more places in http.cookies.Morsel #145599

[sethmlarson]

One small comment, otherwise LGTM. Thank you!

[vstinner]

Are you sure about the CVE number?

[StanFromIreland]

This one has been reserved for it, see the sidebar of the GHSA.

[vstinner]

LGTM. Thanks for the updates.

[miss-islington-app]

Thanks @StanFromIreland for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

[bedevere-app]

GH-146023 is a backport of this pull request to the 3.14 branch.

[bedevere-app]

GH-146024 is a backport of this pull request to the 3.13 branch.

[miss-islington-app]

Sorry, @StanFromIreland and @vstinner, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 57e88c1cf95e1481b94ae57abe1010469d47a6b4 3.10

[bedevere-app]

GH-146025 is a backport of this pull request to the 3.12 branch.

[bedevere-app]

GH-146026 is a backport of this pull request to the 3.11 branch.

[bedevere-app]

GH-146027 is a backport of this pull request to the 3.10 branch.

[vstinner]

Merged, thanks for your fix @StanFromIreland.

Are you sure about the CVE number?

This one has been reserved for it, see the sidebar of the GHSA.

Are you talking about https://github.com/python/cpython/security/advisories ? I don't see CVE 2026-3644 there.

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Arch Linux Usan Function 3.13 (no tier) has failed when building commit d16ecc6.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1601/builds/687) and take a look at the build logs.
4. Check if the failure is related to this commit (d16ecc6) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1601/builds/687

Failed tests:

• test_urllib2net

Summary of the results of the build (if available):

==

Click to see traceback logs

Note: switching to 'd16ecc6c3626f0e2cc8f08c309c83934e8a979dd'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at d16ecc6c362 [3.13] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600) (#146024)
Switched to and reset branch '3.13'

make: *** [Makefile:2252: buildbottest] Error 2