[3.10] gh-143925: Reject control characters in data: URL mediatypes

Lib/test/test_urllib.py

@@ -11,6 +11,7 @@
 fromtestimportsupport
 fromtest.supportimportos_helper
 fromtest.supportimportwarnings_helper
+fromtest.supportimportcontrol_characters_c0
 importos
 try:
 importssl
@@ -683,6 +684,13 @@ def test_invalid_base64_data(self):
 # missing padding character
 self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
 
+deftest_invalid_mediatype(self):
+forc0incontrol_characters_c0():
+self.assertRaises(ValueError,urllib.request.urlopen,
+f'data:text/html;{c0},data')
+forc0incontrol_characters_c0():
+self.assertRaises(ValueError,urllib.request.urlopen,
+f'data:text/html{c0};base64,ZGF0YQ==')
 
 classurlretrieve_FileTests(unittest.TestCase):
 """Test urllib.urlretrieve() on local files"""

Lib/urllib/request.py

@@ -1654,6 +1654,11 @@ def data_open(self, req):
  scheme, data = url.split(":",1)
  mediatype, data = data.split(",",1)
 
+ # Disallow control characters within mediatype.
+ if re.search(r"[\x00-\x1F\x7F]", mediatype):
+ raise ValueError(
+ "Control characters not allowed in data: mediatype")
+
  # even base64 encoded data URLs might be quoted so unquote in any case:
  data = unquote_to_bytes(data)
  if mediatype.endswith("base64"):

Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst

@@ -0,0 +1 @@
+Reject control characters in ``data:`` URL media types.