[3.13] gh-143925: Reject control characters in data: URL mediatypes (#144111)

sethmlarson · web-flow · commit a35ca3be5842 · 2026-01-25T17:06:01.000Z
(cherry picked from commit f25509e)
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
@@ -12,6 +12,7 @@
 from test.support import os_helper
 from test.support import socket_helper
 from test.support import warnings_helper
+from test.support import control_characters_c0
 from test.support.testcase import ExtraAssertions
 import os
 try:
@@ -677,6 +678,13 @@ def test_invalid_base64_data(self):
         # missing padding character
         self.assertRaises(ValueError,urllib.request.urlopen,'data:;base64,Cg=')
 
+    def test_invalid_mediatype(self):
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html;{c0},data')
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError,urllib.request.urlopen,
+                              f'data:text/html{c0};base64,ZGF0YQ==')
 
 class urlretrieve_FileTests(unittest.TestCase):
     """Test urllib.urlretrieve() on local files"""
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
@@ -1636,6 +1636,11 @@ def data_open(self, req):
         scheme, data = url.split(":",1)
         mediatype, data = data.split(",",1)
 
+        # Disallow control characters within mediatype.
+        if re.search(r"[\x00-\x1F\x7F]", mediatype):
+            raise ValueError(
+                "Control characters not allowed in data: mediatype")
+
         # even base64 encoded data URLs might be quoted so unquote in any case:
         data = unquote_to_bytes(data)
         if mediatype.endswith(";base64"):
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
@@ -0,0 +1 @@
+Reject control characters in ``data:`` URL media types.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Reject control characters in ``data:`` URL media types.