Fix CookieError crash with control characters on CPython builds with CVE-2026-3644 patch

[rodrigobnogueira]

What do these changes do?

CPython builds that include the CVE-2026-3644 patch add strict validation to Morsel.__setstate__ that rejects values containing ASCII control characters. This causes aiohttp's cookie parser to crash with CookieError in two scenarios:

1. Octal escape sequences — _unquote decodes sequences like \012 to literal \n, which __setstate__ then rejects.
2. Literal control characters — A raw header containing e.g. \x07 (BEL) is unsalvageable since both the decoded value and the coded_value contain the control character.

This PR adds a _safe_set_morsel_state helper that:

• Wraps __setstate__ and catches CookieError
• For case 1 and case 2: returns False so callers gracefully skip the unsalvageable cookie instead of crashing

Are there changes in behavior for the user?

Yes. On CPython builds with the CVE-2026-3644 patch, when a server sends a cookie containing a control character:

• Octal-escaped control chars (e.g. \012): the cookie is silently skipped
• Literal control chars (e.g. \x07): the cookie is silently skipped

In both cases the parser no longer crashes. On CPython builds without the patch, behavior is unchanged.

Is it a substantial burden for the maintainers to support this?

No. The helper is a thin wrapper around the existing __setstate__ calls, uses the same patterns already established in the codebase, and is well-tested across both patched and unpatched CPython builds.

Related issue number

N/A — This addresses a crash introduced by CPython's CVE-2026-3644 security patch.

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
• Add a new news fragment into the CHANGES/ folder

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (7d534ab) to head (049232e).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12395   +/-   ##
=======================================
  Coverage   98.92%   98.92%           
=======================================
  Files         134      134           
  Lines       46750    46802   +52     
  Branches     2429     2432    +3     
=======================================
+ Hits        46248    46300   +52     
  Misses        373      373           
  Partials      129      129           

Flag	Coverage Δ
CI-GHA	98.98% <96.77%> (-0.01%)	⬇️
OS-Linux	98.72% <96.77%> (-0.01%)	⬇️
OS-Windows	96.98% <96.77%> (-0.01%)	⬇️
OS-macOS	97.88% <96.77%> (-0.01%)	⬇️
Py-3.10.11	97.39% <96.77%> (-0.01%)	⬇️
Py-3.10.20	97.86% <96.77%> (-0.01%)	⬇️
Py-3.11.15	98.11% <96.77%> (-0.01%)	⬇️
Py-3.11.9	97.65% <96.77%> (+<0.01%)	⬆️
Py-3.12.10	97.73% <96.77%> (-0.01%)	⬇️
Py-3.12.13	98.20% <96.77%> (-0.01%)	⬇️
Py-3.13.13	98.43% <90.32%> (-0.02%)	⬇️
Py-3.14.4	98.49% <90.32%> (-0.02%)	⬇️
Py-3.14.4t	97.50% <90.32%> (-0.02%)	⬇️
Py-pypy3.11.15-7.3.21	97.35% <96.77%> (-0.01%)	⬇️
VM-macos	97.88% <96.77%> (-0.01%)	⬇️
VM-ubuntu	98.72% <96.77%> (-0.01%)	⬇️
VM-windows	96.98% <96.77%> (-0.01%)	⬇️
cython-coverage	38.03% <14.51%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

Merging this PR will not alter performance

✅ 67 untouched benchmarks
⏩ 4 skipped benchmarks¹

---

_{Comparing rodrigobnogueira:fix-cookie-ctl-chars (049232e) with master (7d534ab)}

Footnotes

1. 4 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[bdraco]

Tested with Python 3.13.3 and control chars seem to be accepted. Version might need to be narrowed in the summary

[bdraco]

python/cpython@57e88c1

looks like something like parse_set_cookie_headers(['name="a\x07b"']) would still raise on a Python with the cve patch landed

[Dreamsorcerer]

It also restores the control character test cases that were previously masked.

I think you mean removed. I could see no reason that CTL characters were supposed to be allowed, the test was a generic test of octal unquoting. So my assumption is that the tests arbitrarily chose CTL characters and they were not a deliberate choice, nor did it suggest real cookies would have such characters. It seems fine to me for them to be rejected as a security concern.

[rodrigobnogueira]

It also restores the control character test cases that were previously masked.

I think you mean removed. I could see no reason that CTL characters were supposed to be allowed, the test was a generic test of octal unquoting. So my assumption is that the tests arbitrarily chose CTL characters and they were not a deliberate choice, nor did it suggest real cookies would have such characters. It seems fine to me for them to be rejected as a security concern.

Hello @Dreamsorcerer , the tests now describe what they actually verify (graceful handling vs crashing) without implying CTL chars should be allowed.
For context, this crash was originally surfaced by yarl's downstream CI on Python 3.13, where the "Aiohttp tests (3.13)" job failed with CookieError: Control characters are not allowed in cookies on 3 tests.

[rodrigobnogueira]

I added a few extra tests to fix the missing coverage reported by Codecov.

[rodrigobnogueira]

Pin pyupgrade to python3.13 to work around a crash introduced in Python 3.14 alpha (tokenize.cookie_re was changed from a string to a bytes pattern in 3.14, causing pyupgrade to fail with TypeError: cannot use a bytes pattern on a string-like object when run under 3.14). This is a pyupgrade bug

[webknjaz]

Wow, looks like pyupgrade still targets the Python 3.7 syntax. cc @Dreamsorcerer do we still need it that low?

---

Would it make sense to bump the tool's version in a standalone PR?

[webknjaz]

@rodrigobnogueira I haven't found any pyupgrade issue filed upstream? I recommend creating it there and linking from the commit or at least anywhere so it'd be clearer what problem you're referring to. If you can — it'd be a good idea to submit a fix upstream.

[webknjaz]

Below are a few notes/suggestions, not a full review.

[webknjaz]

Sphinx comes with a built-in role for this

Suggested change

	containing ASCII control characters on CPython builds with the CVE-2026-3644
	containing ASCII control characters on CPython builds with the :cve:`2026-3644`

[webknjaz]

Would this work?

Suggested change

	Fixed a crash (``CookieError``) in the cookie parser when receiving cookies
	Fixed a crash (:external+python:exc:`~http.cookies.
	CookieError`) in the cookie parser when receiving cookies

[webknjaz]

Could you add IDs here as a separate arg or right in the params?

[webknjaz]

Let's turn this into a parametrized test with one of the params having a skip mark based on the know CPython range so the runtime is known explicitly.

[rodrigobnogueira]

Done — turned this into a parametrized test with two cases (bel-in-value and bel-with-attribute).

[webknjaz]

Would this work with a generator expression?

Suggested change

	names = [name for name, _ in result]
	names = (name for name, _ in result)

[webknjaz]

Structures like this tend to read better semantically, plus there's no throw-away list creation and the iteration stops early:

Suggested change

	names = [name for name, _ in result]
	assert "good" in names
	assert any(name == "good" for name, _ in result)

[webknjaz]

Instead of calling the low-level stdlib interface, a natively integrated way would be using pytest-mock that provides a mocker fixture.

[Dreamsorcerer]

I've never really understood the point of the mocker fixture...

[webknjaz]

If you migrate to the builtin monkeypatch fixture, this would be enough to move away from the generator to a regular function here. But if you want to use the mocking/spying interface, you could depend on mocker instead.

[webknjaz]

When a fixture does not return a usable object, there's no need to inject it as a test function argument only to discard an unused local var. Instead, wire it through a mark as follows:

Suggested change

	def test_cookie_helpers_cve_fallback(mock_strict_morsel: None) -> None:
	@pytest.mark.usefixtures('mock_strict_morsel')
	def test_cookie_helpers_cve_fallback() -> None:

[Dreamsorcerer]

Wow, looks like pyupgrade still targets the Python 3.7 syntax. cc @Dreamsorcerer do we still need it that low?

I'm going to replace the whole setup with ruff in the near future, so haven't really looked at it. I did a manual upgrade with ruff a couple of months ago, though I only applied the safe fixes at that time, so still a few outdated bits in the code currently.

[Dreamsorcerer]

For context, this crash was originally surfaced by yarl's downstream CI on Python 3.13, where the "Aiohttp tests (3.13)" job failed with CookieError: Control characters are not allowed in cookies on 3 tests.

Yeah, I saw that. That's just because those tests are outdated, right? We can backport the change to 3.13 branch to resolve that.

[Dreamsorcerer]

For context, this crash was originally surfaced by yarl's downstream CI on Python 3.13, where the "Aiohttp tests (3.13)" job failed with CookieError: Control characters are not allowed in cookies on 3 tests.

Yeah, I saw that. That's just because those tests are outdated, right? We can backport the change to 3.13 branch to resolve that.

#12401

[Dreamsorcerer]

I'm still unclear to implications of allowing the coded_value here, rather than just rejecting the cookie entirely.

[rodrigobnogueira]

The fallback to coded_value preserves the cookie with its original escaped representation (e.g. "\012newline\012") instead of dropping it entirely. The coded_value at this point contains only printable ASCII (backslash-escaped octals), so there are no injection or smuggling concerns. If the application later echoes this cookie back via Cookie:, the server receives exactly what it originally set.

If you'd prefer to reject the cookie entirely instead, I can simplify the function to a single try/except that returns False on any CookieError.

[Dreamsorcerer]

I'm still leaning towards rejection. See what @bdraco thinks.

[rodrigobnogueira]

Done! Code is simpler now. I like it.

[bdraco]

I agree. Reject seems to be the way to go. Someone will complain if we really need to allow this

[Dreamsorcerer]

Should we drop this function now? Feels like it should just be inline again now.

[rodrigobnogueira]

done

[Princemachiavelli]

The new tests pass but don't the existing octal tests still expect decoding while they should be skipped now if CookieError exception is caught? (Actually I'd expect the behavior to depend on which Python version is used so should the tests just be disabled?)

> FAILED tests/test_cookie_helpers.py::test_parse_set_cookie_headers_uses_unquote_with_octal[name="\\012newline\\012"-name-\nnewline\n-"\\012newline\\012"] - assert 0 == 1
> FAILED tests/test_cookie_helpers.py::test_parse_set_cookie_headers_uses_unquote_with_octal[tab="\\011separated\\011values"-tab-\tseparated\tvalues-"\\011separated\\011values"] - assert 0 == 1
> FAILED tests/test_cookie_helpers.py::test_parse_set_cookie_headers_uses_unquote_with_octal[complex="\\042quoted\\042 text with \\012 newline"-complex-"quoted" text with \n newline-"\\042quoted\\042 text with \\012 newline"] - assert 0 == 1

This is on Python 3.13.13 and applied this PR to aiohttp 3.13.5.