Address PR review: improve tests, Sphinx roles, remove pyupgrade pin

- Use :cve:`2026-3644` and :external+python:exc: roles in changelog
- Add pytest IDs to CTL chars from octal parametrize
- Parametrize literal CTL char test (was two separate tests)
- Use any() instead of list + in for semantic clarity
- Replace unittest.mock.patch with monkeypatch fixture (no new dep)
- Use @pytest.mark.usefixtures for void fixture injection
- Remove pyupgrade language_version: python3.13 pin

Author: rodrigobnogueira

.pre-commit-config.yaml

@@ -103,7 +103,6 @@ repos:
   hooks:
   - id: pyupgrade
     args: ['--py37-plus']
-    language_version: python3.13
 - repo: https://github.com/PyCQA/flake8
   rev: '7.3.0'
   hooks:

CHANGES/12395.bugfix.rst

@@ -1,6 +1,4 @@
-Fixed a crash (``CookieError``) in the cookie parser when receiving cookies
-containing ASCII control characters on CPython builds with the CVE-2026-3644
-patch. The parser now gracefully falls back to storing the raw, still-escaped
-``coded_value`` when the decoded value contains control characters, and skips
-cookies whose raw header contains literal control characters that cannot be
-safely stored -- by :user:`rodrigobnogueira`.
+Fixed a crash (:external+python:exc:`~http.cookies.CookieError`) in the cookie parser when receiving cookies
+containing ASCII control characters on CPython builds with the :cve:`2026-3644`
+patch. The parser now gracefully skips cookies whose value contains control
+characters instead of letting the exception propagate -- by :user:`rodrigobnogueira`.

aiohttp/_cookie_helpers.py

@@ -93,15 +93,11 @@ def _safe_set_morsel_state(
     CPython builds that include the CVE-2026-3644 patch added validation in
     ``Morsel.__setstate__`` that rejects values containing ASCII control
     characters.  When ``_unquote`` decodes octal escape sequences
-    (e.g. ``\012`` → ``\n``) the resulting value may contain such characters.
+    (e.g. ``\012`` → ``\n``) the resulting value may contain such characters,
+    causing ``CookieError`` to be raised.
 
-    When that happens we fall back to storing the *raw* (still-escaped)
-    ``coded_value`` as both ``value`` and ``coded_value`` so the cookie
-    is preserved without crashing.
-
-    If the ``coded_value`` itself contains literal control characters
-    (e.g. a raw ``\x07`` in the header), the cookie is unsalvageable and
-    the function returns ``False`` so the caller can skip it.
+    In that case the cookie is skipped entirely — the function returns ``False``
+    so the caller can move on to the next cookie without crashing.
 
     Returns:
         True if the morsel state was set successfully, False if the
@@ -112,15 +108,7 @@ def _safe_set_morsel_state(
             {"key": key, "value": value, "coded_value": coded_value}
         )
     except CookieError:
-        # The decoded value contains control characters rejected after
-        # CVE-2026-3644.  Fall back to keeping the raw coded_value.
-        try:
-            morsel.__setstate__(  # type: ignore[attr-defined]
-                {"key": key, "value": coded_value, "coded_value": coded_value}
-            )
-        except CookieError:
-            # coded_value itself has literal control chars — unsalvageable.
-            return False
+        return False
     return True
 
 

tests/test_cookie_helpers.py

@@ -3,14 +3,12 @@
 import logging
 import sys
 import time
-import typing
 from http.cookies import (
     CookieError,
     Morsel,
     SimpleCookie,
     _unquote as simplecookie_unquote,
 )
-from unittest.mock import patch
 
 import pytest
 
@@ -1139,8 +1137,18 @@ def test_parse_set_cookie_headers_uses_unquote_with_octal(
 @pytest.mark.parametrize(
     ("header", "expected_name", "expected_coded"),
     [
-        (r'name="\012newline\012"', "name", r'"\012newline\012"'),
-        (r'tab="\011separated\011values"', "tab", r'"\011separated\011values"'),
+        pytest.param(
+            r'name="\012newline\012"',
+            "name",
+            r'"\012newline\012"',
+            id="newline-octal-012",
+        ),
+        pytest.param(
+            r'tab="\011separated\011values"',
+            "tab",
+            r'"\011separated\011values"',
+            id="tab-octal-011",
+        ),
     ],
 )
 def test_parse_set_cookie_headers_ctl_chars_from_octal(
@@ -1150,18 +1158,17 @@ def test_parse_set_cookie_headers_ctl_chars_from_octal(
 
     CPython builds with the CVE-2026-3644 patch reject control characters in
     cookies.  When octal unquoting produces a control character, the parser
-    should fall back to the raw coded_value instead of raising CookieError.
+    skips the cookie entirely instead of raising CookieError.
     """
     result = parse_set_cookie_headers([header])
 
-    assert len(result) == 1
-    name, morsel = result[0]
-
-    assert name == expected_name
-    assert morsel.coded_value == expected_coded
-    # Depending on CPython build, morsel.value will either be the decoded string
-    # (pre CVE-2026-3644 patch) or the raw coded_value (post patch).
-    # We just ensure it doesn't crash and the coded_value is preserved.
+    # On CPython with CVE-2026-3644 patch the cookie is rejected (result is empty);
+    # on older builds it may be accepted with the decoded value.
+    # Either way, no crash.
+    if result:
+        name, morsel = result[0]
+        assert name == expected_name
+        assert morsel.coded_value == expected_coded
 
 
 def test_parse_set_cookie_headers_literal_ctl_chars() -> None:
@@ -1183,8 +1190,7 @@ def test_parse_set_cookie_headers_literal_ctl_chars_preserves_others() -> None:
     result = parse_set_cookie_headers(['bad="a\x07b"; good=value', "another=cookie"])
     # "good" is an attribute of "bad" (same header), so it's not a separate cookie.
     # "another" is in a separate header and must always be preserved.
-    names = [name for name, _ in result]
-    assert "another" in names
+    assert any(name == "another" for name, _ in result)
 
 
 # Tests for parse_cookie_header (RFC 6265 compliant Cookie header parser)
@@ -1660,8 +1666,7 @@ def test_parse_cookie_header_literal_ctl_chars() -> None:
     result = parse_cookie_header('name="a\x07b"; good=cookie')
     # On CPython with CVE-2026-3644 patch the bad cookie is skipped;
     # on older builds it may be accepted.  Either way, no crash.
-    names = [name for name, _ in result]
-    assert "good" in names
+    assert any(name == "good" for name, _ in result)
 
 
 @pytest.mark.parametrize(
@@ -1855,27 +1860,26 @@ def test_unquote_compatibility_with_simplecookie(test_value: str) -> None:
 
 
 @pytest.fixture
-def mock_strict_morsel() -> typing.Iterator[None]:
+def mock_strict_morsel(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
     original_setstate = Morsel.__setstate__  # type: ignore[attr-defined]
 
     def _mock_setstate(self: Morsel[str], state: dict[str, str]) -> None:
         if any(ord(c) < 32 for c in state.get("value", "")):
             raise CookieError()
         original_setstate(self, state)
 
-    with patch(
+    monkeypatch.setattr(
         "aiohttp._cookie_helpers.Morsel.__setstate__",
-        autospec=True,
-        side_effect=_mock_setstate,
-    ):
-        yield
-
+        _mock_setstate,
+    )
 
-def test_cookie_helpers_cve_fallback(mock_strict_morsel: None) -> None:
-    m: Morsel[str] = Morsel()
-    assert helpers._safe_set_morsel_state(m, "k", "v\n", "v\\012") is True
-    assert m.value == "v\\012"
 
+@pytest.mark.usefixtures("mock_strict_morsel")
+def test_cookie_helpers_cve_fallback() -> None:
+    # With strict morsel: any CTL char in value → CookieError → rejected
+    assert helpers._safe_set_morsel_state(Morsel(), "k", "v\n", "v\\012") is False
     assert helpers._safe_set_morsel_state(Morsel(), "k", "v\n", "v\n") is False
 
     cookie: Morsel[str] = Morsel()
@@ -1886,3 +1890,4 @@ def test_cookie_helpers_cve_fallback(mock_strict_morsel: None) -> None:
     assert parse_cookie_header("f=b\x07r") == []
     assert parse_cookie_header('f="b\x07r";') == []
     assert parse_set_cookie_headers(['f="b\x07r";']) == []
+    assert parse_set_cookie_headers([r'name="\012newline\012"']) == []