Skip to content

gh-143927: Normalize all line endings (CR, CRLF, and LF) in configparser #143929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sethmlarson wants to merge 1 commit into
base: main
Choose a base branch
from
Open

gh-143927: Normalize all line endings (CR, CRLF, and LF) in configparser #143929

sethmlarson wants to merge 1 commit into from
+16 −1

Conversation

@sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Jan 16, 2026
edited by bedevere-app bot
Loading

@sethmlarson sethmlarson added the type-security A security issue label Jan 16, 2026
@sethmlarson sethmlarson requested a review from jaraco as a code owner January 16, 2026 18:01
@sethmlarson sethmlarson added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jan 16, 2026
@bedevere-app bedevere-app bot mentioned this pull request Jan 16, 2026
Open
cmaloney
cmaloney reviewed Jan 17, 2026
View reviewed changes
Lib/configparser.py
value)
if value is not None or not self._allow_no_value:
value = delimiter + str(value).replace('\n', '\n\t')
# Convert all possible line-endings into '\n\t'
Copy link
Contributor

@cmaloney cmaloney Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure the exact underlying security issue. As is, I think this will break round tripping on Windows; Text I/O used by the open expects to encode/decode newlines in particular formats on Windows by default (https://github.com/sethmlarson/cpython/blob/2a122fd420f5b425fd39848a48f5eb196cee2aa7/Lib/configparser.py#L753). See #143428 (comment) for a recent related case + more background links.

In the open calls can we use newline="" potentially?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmaloney cmaloney cmaloney left review comments

@jaraco jaraco Awaiting requested review from jaraco jaraco is a code owner

Assignees

No one assigned

Labels

awaiting review needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sethmlarson @cmaloney