mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-27 20:13:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

python3: Fix CVE-2026-6019

Browse Source 
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.

[1] 3c59b8b53f
[2] e7d4c3ff42
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019

(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Sudhir Dumbhare
2026-06-13 03:11:39 -07:00
committed by Paul Barker
parent 1401e6e003
commit 7731db5592
3 changed files with 264 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch Normal file
View File

@@ -0,0 +1,133 @@
From be751c3f3a11d40c2133bee5fb6ab6931df31936 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Thu, 23 Apr 2026 15:05:17 +0200
Subject: [PATCH] [3.13] gh-90309: Base64-encode cookie values embedded in
JS (GH-148888)
CVE: CVE-2026-6019
Upstream-Status: Backport [https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c]
Backport Changes:
- This file is not present in the current version and is therefore omitted.
Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst
(cherry picked from commit 76b3923d688c0efc580658476c5f525ec8735104)
Co-authored-by: Seth Larson <seth@python.org>
(cherry picked from commit 3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
Lib/http/cookies.py | 8 ++++++--
Lib/test/test_http_cookies.py | 29 ++++++++++++++++++-----------
2 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 63d119ad46c..aebc2a163e4 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -389,17 +389,21 @@ class Morsel(dict):
return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
def js_output(self, attrs=None):
+ import base64
# Print javascript
output_string = self.OutputString(attrs)
if _has_control_character(output_string):
raise CookieError("Control characters are not allowed in cookies")
+ # Base64-encode value to avoid template
+ # injection in cookie values.
+ output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii")
return """
<script type="text/javascript">
<!-- begin hiding
- document.cookie = \"%s\";
+ document.cookie = atob(\"%s\");
// end hiding -->
</script>
- """ % (output_string.replace('"', r'\"'))
+ """ % (output_encoded,)
def OutputString(self, attrs=None):
# Build up our result
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 2478a6c630f..6aa5df068f9 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -1,5 +1,5 @@
# Simple test suite for http/cookies.py
-
+import base64
import copy
import unittest
import doctest
@@ -152,17 +152,19 @@ class CookieTests(unittest.TestCase):
self.assertEqual(C.output(['path']),
'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
- self.assertEqual(C.js_output(), r"""
+ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii')
+ self.assertEqual(C.js_output(), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1";
+ document.cookie = atob("{cookie_encoded}");
// end hiding -->
</script>
""")
- self.assertEqual(C.js_output(['path']), r"""
+ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii')
+ self.assertEqual(C.js_output(['path']), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme";
+ document.cookie = atob("{cookie_encoded}");
// end hiding -->
</script>
""")
@@ -259,17 +261,19 @@ class CookieTests(unittest.TestCase):
self.assertEqual(C.output(['path']),
'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
- self.assertEqual(C.js_output(), r"""
+ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii')
+ self.assertEqual(C.js_output(), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1";
+ document.cookie = atob("{expected_encoded_cookie}");
// end hiding -->
</script>
""")
- self.assertEqual(C.js_output(['path']), r"""
+ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii')
+ self.assertEqual(C.js_output(['path']), fr"""
<script type="text/javascript">
<!-- begin hiding
- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme";
+ document.cookie = atob("{expected_encoded_cookie}");
// end hiding -->
</script>
""")
@@ -360,13 +364,16 @@ class MorselTests(unittest.TestCase):
self.assertEqual(
M.output(),
"Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i))
+ expected_encoded_cookie = base64.b64encode(
+ ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii")
+ ).decode('ascii')
expected_js_output = """
<script type="text/javascript">
<!-- begin hiding
- document.cookie = "%s=%s; Path=/foo";
+ document.cookie = atob("%s");
// end hiding -->
</script>
- """ % (i, "%s_coded_val" % i)
+ """ % (expected_encoded_cookie,)
self.assertEqual(M.js_output(), expected_js_output)
for i in ["foo bar", "foo@bar"]:
# Try some illegal characters
--
2.35.6