Victor's request

StanFromIreland · vstinner · StanFromIreland · commit ba6713e542a6 · 2026-03-16T12:39:31.000Z
Co-authored-by: Victor Stinner &lt;victor.stinner@gmail.com&gt;
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
@@ -338,7 +338,8 @@ def update(self, values):
             if key not in self._reserved:
                 raise CookieError("Invalid attribute %r" % (key,))
             if _has_control_character(key, val):
-                raise CookieError(f"Control characters are not allowed in cookies {key!r} {val!r}")
+                raise CookieError("Control characters are not allowed in "
+                                  f"cookies {key!r} {val!r}")
             data[key] = val
         dict.update(self, data)
 
@@ -371,9 +372,15 @@ def __getstate__(self):
         }
 
     def __setstate__(self, state):
-        self._key = state['key']
-        self._value = state['value']
-        self._coded_value = state['coded_value']
+        key = state['key']
+        value = state['value']
+        coded_value = state['coded_value']
+        if _has_control_character(key, value, coded_value):
+            raise CookieError("Control characters are not allowed in cookies "
+                              f"{key!r} {value!r} {coded_value!r}")
+        self._key = key
+        self._value = value
+        self._coded_value = coded_value
 
     def output(self, attrs=None, header="Set-Cookie:"):
         return "%s %s" % (header, self.OutputString(attrs))
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
@@ -604,6 +604,15 @@ def test_control_characters(self):
             with self.assertRaises(cookies.CookieError):
                 morsel["path"] = c0
 
+            # .__setstate__()
+            with self.assertRaises(cookies.CookieError):
+                morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'})
+            with self.assertRaises(cookies.CookieError):
+                morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'})
+            with self.assertRaises(cookies.CookieError):
+                morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0})
+
+
             # .setdefault()
             with self.assertRaises(cookies.CookieError):
                 morsel.setdefault("path", c0)
