Handle literal control chars in cookie values and address review feedback

- _safe_set_morsel_state now returns bool; callers skip unsalvageable cookies
- Handles both octal-decoded CTL chars and literal CTL chars in raw headers
- Added tests for literal control character edge case (bdraco feedback)
- Updated version wording to reference CVE-2026-3644 patch, not Python 3.13+
- Reworded test docstrings per Dreamsorcerer feedback

Author: rodrigobnogueira

CHANGES/12395.bugfix.rst

@@ -1,2 +1,6 @@
-Fixed a crash (``CookieError``) in the cookie parser when receiving a cookie containing ASCII control characters on Python 3.13+ (CVE-2026-3644). The parser now gracefully falls back to storing the raw, still-escaped ``coded_value`` without crashing the application.
--- by :user:`rodrigobnogueira`.
+Fixed a crash (``CookieError``) in the cookie parser when receiving cookies
+containing ASCII control characters on CPython builds with the CVE-2026-3644
+patch. The parser now gracefully falls back to storing the raw, still-escaped
+``coded_value`` when the decoded value contains control characters, and skips
+cookies whose raw header itself contains unsalvageable literal control
+characters -- by :user:`rodrigobnogueira`.

aiohttp/_cookie_helpers.py

@@ -87,28 +87,41 @@ def _safe_set_morsel_state(
     key: str,
     value: str,
     coded_value: str,
-) -> None:
-    r"""Set morsel state, handling Python 3.13+ control-character rejection.
+) -> bool:
+    r"""Set morsel state, handling control-character rejection after CVE-2026-3644.
 
-    Python 3.13 added validation in ``Morsel.__setstate__`` that rejects
-    values containing ASCII control characters (CVE-2026-3644).  When
-    ``_unquote`` decodes octal escape sequences (e.g. ``\\012`` → ``\\n``)
-    the resulting value may contain such characters.
+    CPython builds that include the CVE-2026-3644 patch added validation in
+    ``Morsel.__setstate__`` that rejects values containing ASCII control
+    characters.  When ``_unquote`` decodes octal escape sequences
+    (e.g. ``\012`` → ``\n``) the resulting value may contain such characters.
 
     When that happens we fall back to storing the *raw* (still-escaped)
     ``coded_value`` as both ``value`` and ``coded_value`` so the cookie
     is preserved without crashing.
+
+    If the ``coded_value`` itself contains literal control characters
+    (e.g. a raw ``\x07`` in the header), the cookie is unsalvageable and
+    the function returns ``False`` so the caller can skip it.
+
+    Returns:
+        True if the morsel state was set successfully, False if the
+        cookie should be skipped.
     """
     try:
         morsel.__setstate__(  # type: ignore[attr-defined]
             {"key": key, "value": value, "coded_value": coded_value}
         )
     except CookieError:
-        # The decoded value contains control characters that Python 3.13+
-        # rejects.  Fall back to keeping the raw coded_value as the value.
-        morsel.__setstate__(  # type: ignore[attr-defined]
-            {"key": key, "value": coded_value, "coded_value": coded_value}
-        )
+        # The decoded value contains control characters rejected after
+        # CVE-2026-3644.  Fall back to keeping the raw coded_value.
+        try:
+            morsel.__setstate__(  # type: ignore[attr-defined]
+                {"key": key, "value": coded_value, "coded_value": coded_value}
+            )
+        except CookieError:
+            # coded_value itself has literal control chars — unsalvageable.
+            return False
+    return True
 
 
 def preserve_morsel_with_coded_value(cookie: Morsel[str]) -> Morsel[str]:
@@ -131,7 +144,10 @@ def preserve_morsel_with_coded_value(cookie: Morsel[str]) -> Morsel[str]:
 
     """
     mrsl_val = cast("Morsel[str]", cookie.get(cookie.key, Morsel()))
-    _safe_set_morsel_state(mrsl_val, cookie.key, cookie.value, cookie.coded_value)
+    if not _safe_set_morsel_state(
+        mrsl_val, cookie.key, cookie.value, cookie.coded_value
+    ):
+        return cookie
     return mrsl_val
 
 
@@ -229,8 +245,8 @@ def parse_cookie_header(header: str) -> list[tuple[str, Morsel[str]]]:
                     invalid_names.append(key)
                 else:
                     morsel = Morsel()
-                    _safe_set_morsel_state(morsel, key, _unquote(value), value)
-                    cookies.append((key, morsel))
+                    if _safe_set_morsel_state(morsel, key, _unquote(value), value):
+                        cookies.append((key, morsel))
 
             # Move to next cookie or end
             i = next_semi + 1 if next_semi != -1 else n
@@ -248,7 +264,8 @@ def parse_cookie_header(header: str) -> list[tuple[str, Morsel[str]]]:
         # Create new morsel
         morsel = Morsel()
         # Preserve the original value as coded_value (with quotes if present)
-        _safe_set_morsel_state(morsel, key, _unquote(value), value)
+        if not _safe_set_morsel_state(morsel, key, _unquote(value), value):
+            continue
 
         cookies.append((key, morsel))
 
@@ -338,9 +355,13 @@ def parse_set_cookie_headers(headers: Sequence[str]) -> list[tuple[str, Morsel[s
                     # Create new morsel
                     current_morsel = Morsel()
                     # Preserve the original value as coded_value (with quotes if present)
-                    _safe_set_morsel_state(current_morsel, key, _unquote(value), value)
-                    parsed_cookies.append((key, current_morsel))
-                    morsel_seen = True
+                    if _safe_set_morsel_state(
+                        current_morsel, key, _unquote(value), value
+                    ):
+                        parsed_cookies.append((key, current_morsel))
+                        morsel_seen = True
+                    else:
+                        current_morsel = None
             else:
                 # Invalid cookie string - no value for non-attribute
                 break

tests/test_cookie_helpers.py

@@ -1141,14 +1141,14 @@ def test_parse_set_cookie_headers_uses_unquote_with_octal(
         (r'tab="\011separated\011values"', "tab", r'"\011separated\011values"'),
     ],
 )
-def test_parse_set_cookie_headers_ctl_chars(
+def test_parse_set_cookie_headers_ctl_chars_from_octal(
     header: str, expected_name: str, expected_coded: str
 ) -> None:
-    """Test that parse_set_cookie_headers does not crash on control characters.
+    """Ensure octal escapes that decode to control characters don't crash the parser.
 
-    Python 3.13+ rejects control characters in cookies. When octal unquoting results
-    in a control character, we fall back to using the safe coded_value as the value
-    to avoid crashing the parser.
+    CPython builds with the CVE-2026-3644 patch reject control characters in
+    cookies.  When octal unquoting produces a control character, the parser
+    should fall back to the raw coded_value instead of raising CookieError.
     """
     result = parse_set_cookie_headers([header])
 
@@ -1157,11 +1157,36 @@ def test_parse_set_cookie_headers_ctl_chars(
 
     assert name == expected_name
     assert morsel.coded_value == expected_coded
-    # Depending on the Python version, morsel.value will either be the decoded string
-    # (Python < 3.13) or the raw coded_value (Python >= 3.13).
+    # Depending on CPython build, morsel.value will either be the decoded string
+    # (pre CVE-2026-3644 patch) or the raw coded_value (post patch).
     # We just ensure it doesn't crash and the coded_value is preserved.
 
 
+def test_parse_set_cookie_headers_literal_ctl_chars() -> None:
+    """Ensure literal control characters in a cookie value don't crash the parser.
+
+    If the raw header itself contains a control character (e.g. BEL \\x07),
+    both the decoded value and coded_value are unsalvageable.  The parser
+    should gracefully skip the cookie instead of raising CookieError.
+    """
+    result = parse_set_cookie_headers(['name="a\x07b"'])
+    # On CPython with CVE-2026-3644 patch the cookie is skipped;
+    # on older builds it may be accepted.  Either way, no crash.
+    if result:
+        assert result[0][0] == "name"
+
+
+def test_parse_set_cookie_headers_literal_ctl_chars_preserves_others() -> None:
+    """Ensure a cookie with literal control chars doesn't break subsequent cookies."""
+    result = parse_set_cookie_headers(
+        ['bad="a\x07b"; good=value', "another=cookie"]
+    )
+    # "good" is an attribute of "bad" (same header), so it's not a separate cookie.
+    # "another" is in a separate header and must always be preserved.
+    names = [name for name, _ in result]
+    assert "another" in names
+
+
 # Tests for parse_cookie_header (RFC 6265 compliant Cookie header parser)