Skip to content

gh-143925: Reject control characters in data: URL mediatypes#143926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sethmlarson merged 2 commits into from
Jan 20, 2026
+21 −0
Merged

gh-143925: Reject control characters in data: URL mediatypes #143926

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8850aa
Add 'test.support' fixture for C0 control characters
sethmlarson Jan 16, 2026
5fcd644
gh-143925: Reject control characters in data: URL mediatypes
sethmlarson Dec 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Lib/test/support/__init__.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3303,3 +3303,10 @@ def linked_to_musl():
return_linked_to_musl
_linked_to_musl=tuple(map(int, version.split('.')))
return_linked_to_musl


defcontrol_characters_c0() ->list[str]:
"""Returns a list of C0 control characters as strings.
C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
"""
return [chr(c) forcinrange(0x00, 0x20)] + ["\x7F"]
8 changes: 8 additions & 0 deletions Lib/test/test_urllib.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -10,6 +10,7 @@
fromtestimportsupport
fromtest.supportimportos_helper
fromtest.supportimportsocket_helper
fromtest.supportimportcontrol_characters_c0
importos
importsocket
try:
Expand DownExpand Up@@ -590,6 +591,13 @@ def test_invalid_base64_data(self):
# missing padding character
self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')

deftest_invalid_mediatype(self):
forc0incontrol_characters_c0():
self.assertRaises(ValueError,urllib.request.urlopen,
f'data:text/html;{c0},data')
forc0incontrol_characters_c0():
self.assertRaises(ValueError,urllib.request.urlopen,
f'data:text/html{c0};base64,ZGF0YQ==')

classurlretrieve_FileTests(unittest.TestCase):
"""Test urllib.urlretrieve() on local files"""
Expand Down
5 changes: 5 additions & 0 deletions Lib/urllib/request.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -1636,6 +1636,11 @@ def data_open(self, req):
scheme, data=url.split(":",1)
mediatype, data=data.split(",",1)

# Disallow control characters within mediatype.
ifre.search(r"[\x00-\x1F\x7F]", mediatype):
raiseValueError(
"Control characters not allowed in data: mediatype")

# even base64 encoded data URLs might be quoted so unquote in any case:
data=unquote_to_bytes(data)
ifmediatype.endswith("base64"):
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
Reject control characters in ``data:`` URL media types.
Loading