Address PR review: improve tests, Sphinx roles, remove pyupgrade pin

- Use :cve:`2026-3644` and :external+python:exc: roles in changelog
- Add pytest IDs to CTL chars from octal parametrize
- Parametrize literal CTL char test (was two separate tests)
- Use any() instead of list + in for semantic clarity
- Replace unittest.mock.patch with monkeypatch fixture (no new dep)
- Use @pytest.mark.usefixtures for void fixture injection
- Remove pyupgrade language_version: python3.13 pin

Author: rodrigobnogueira

.pre-commit-config.yaml

@@ -103,7 +103,6 @@ repos:
   hooks:
   - id: pyupgrade
     args: ['--py37-plus']
-    language_version: python3.13
 - repo: https://github.com/PyCQA/flake8
   rev: '7.3.0'
   hooks:

CHANGES/12395.bugfix.rst

@@ -1,5 +1,5 @@
-Fixed a crash (``CookieError``) in the cookie parser when receiving cookies
-containing ASCII control characters on CPython builds with the CVE-2026-3644
+Fixed a crash (:external+python:exc:`~http.cookies.CookieError`) in the cookie parser when receiving cookies
+containing ASCII control characters on CPython builds with the :cve:`2026-3644`
 patch. The parser now gracefully falls back to storing the raw, still-escaped
 ``coded_value`` when the decoded value contains control characters, and skips
 cookies whose raw header contains literal control characters that cannot be

tests/test_cookie_helpers.py

@@ -3,14 +3,12 @@
 import logging
 import sys
 import time
-import typing
 from http.cookies import (
     CookieError,
     Morsel,
     SimpleCookie,
     _unquote as simplecookie_unquote,
 )
-from unittest.mock import patch
 
 import pytest
 
@@ -1139,8 +1137,18 @@ def test_parse_set_cookie_headers_uses_unquote_with_octal(
 @pytest.mark.parametrize(
     ("header", "expected_name", "expected_coded"),
     [
-        (r'name="\012newline\012"', "name", r'"\012newline\012"'),
-        (r'tab="\011separated\011values"', "tab", r'"\011separated\011values"'),
+        pytest.param(
+            r'name="\012newline\012"',
+            "name",
+            r'"\012newline\012"',
+            id="newline-octal-012",
+        ),
+        pytest.param(
+            r'tab="\011separated\011values"',
+            "tab",
+            r'"\011separated\011values"',
+            id="tab-octal-011",
+        ),
     ],
 )
 def test_parse_set_cookie_headers_ctl_chars_from_octal(
@@ -1164,27 +1172,43 @@ def test_parse_set_cookie_headers_ctl_chars_from_octal(
     # We just ensure it doesn't crash and the coded_value is preserved.
 
 
-def test_parse_set_cookie_headers_literal_ctl_chars() -> None:
+@pytest.mark.parametrize(
+    ("header", "expected_name"),
+    [
+        pytest.param(
+            'name="a\x07b"',
+            "name",
+            id="bel-in-value",
+        ),
+        pytest.param(
+            'bad="a\x07b"; good=value',
+            "bad",
+            id="bel-with-attribute",
+        ),
+    ],
+)
+def test_parse_set_cookie_headers_literal_ctl_chars(
+    header: str, expected_name: str
+) -> None:
     r"""Ensure literal control characters in a cookie value don't crash the parser.
 
     If the raw header itself contains a control character (e.g. BEL \\x07),
     both the decoded value and coded_value are unsalvageable.  The parser
     should gracefully skip the cookie instead of raising CookieError.
     """
-    result = parse_set_cookie_headers(['name="a\x07b"'])
+    result = parse_set_cookie_headers([header])
     # On CPython with CVE-2026-3644 patch the cookie is skipped;
     # on older builds it may be accepted.  Either way, no crash.
     if result:
-        assert result[0][0] == "name"
+        assert result[0][0] == expected_name
 
 
 def test_parse_set_cookie_headers_literal_ctl_chars_preserves_others() -> None:
     """Ensure a cookie with literal control chars doesn't break subsequent cookies."""
     result = parse_set_cookie_headers(['bad="a\x07b"; good=value', "another=cookie"])
     # "good" is an attribute of "bad" (same header), so it's not a separate cookie.
     # "another" is in a separate header and must always be preserved.
-    names = [name for name, _ in result]
-    assert "another" in names
+    assert any(name == "another" for name, _ in result)
 
 
 # Tests for parse_cookie_header (RFC 6265 compliant Cookie header parser)
@@ -1660,8 +1684,7 @@ def test_parse_cookie_header_literal_ctl_chars() -> None:
     result = parse_cookie_header('name="a\x07b"; good=cookie')
     # On CPython with CVE-2026-3644 patch the bad cookie is skipped;
     # on older builds it may be accepted.  Either way, no crash.
-    names = [name for name, _ in result]
-    assert "good" in names
+    assert any(name == "good" for name, _ in result)
 
 
 @pytest.mark.parametrize(
@@ -1855,23 +1878,24 @@ def test_unquote_compatibility_with_simplecookie(test_value: str) -> None:
 
 
 @pytest.fixture
-def mock_strict_morsel() -> typing.Iterator[None]:
+def mock_strict_morsel(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
     original_setstate = Morsel.__setstate__  # type: ignore[attr-defined]
 
     def _mock_setstate(self: Morsel[str], state: dict[str, str]) -> None:
         if any(ord(c) < 32 for c in state.get("value", "")):
             raise CookieError()
         original_setstate(self, state)
 
-    with patch(
+    monkeypatch.setattr(
         "aiohttp._cookie_helpers.Morsel.__setstate__",
-        autospec=True,
-        side_effect=_mock_setstate,
-    ):
-        yield
+        _mock_setstate,
+    )
 
 
-def test_cookie_helpers_cve_fallback(mock_strict_morsel: None) -> None:
+@pytest.mark.usefixtures("mock_strict_morsel")
+def test_cookie_helpers_cve_fallback() -> None:
     m: Morsel[str] = Morsel()
     assert helpers._safe_set_morsel_state(m, "k", "v\n", "v\\012") is True
     assert m.value == "v\\012"