[PR #12091/8a631e74 backport][3.14] Restrict pickle deserialization in CookieJar.load()

[patchback]

This is a backport of PR #12091 as merged into master (8a631e7).

Changes

• _RestrictedCookieUnpickler — A pickle.Unpickler subclass that only allows cookie-related types (SimpleCookie, Morsel, defaultdict, and safe builtins). All other types (e.g. os.system, eval, exec, subprocess) raise UnpicklingError.

• CookieJar.load() — Now uses _RestrictedCookieUnpickler instead of bare pickle.load(). Fully backward compatible with existing pickle files containing legitimate cookies.

• CookieJar.save_json() / load_json() — New safe JSON-based alternatives for cookie persistence, immune to deserialization attacks by design.

• Documentation — Added .. warning:: directives to save()/load() and documented the new save_json()/load_json() methods.

• Tests — Added tests verifying:

  • os.system, eval, subprocess.call payloads are blocked
  • Legitimate cookies still load correctly (backward compat)
  • JSON roundtrip for standard, partitioned, and secure cookies
  • JSON format cannot execute code even with malicious-looking values

Test plan

• Malicious pickle payloads (os.system, eval, exec, subprocess.call, os.popen) are all rejected with UnpicklingError
• Existing legitimate pickled cookies load without any changes
• test_pickle_format regression test data loads through restricted unpickler
• save_json/load_json roundtrip preserves all cookie attributes (domain, path, secure, httponly, expires, max-age, samesite, partitioned)
• JSON format stores code-like strings as inert data, not executable

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.25%. Comparing base (bb61c2d) to head (231eccb).
⚠️ Report is 9 commits behind head on 3.14.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff            @@
##             3.14   #12105    +/-   ##
========================================
  Coverage   98.24%   98.25%            
========================================
  Files         129      129            
  Lines       45236    45604   +368     
  Branches     2450     2470    +20     
========================================
+ Hits        44442    44808   +366     
- Misses        612      615     +3     
+ Partials      182      181     -1     

Flag	Coverage Δ
CI-GHA	98.13% <100.00%> (+0.01%)	⬆️
OS-Linux	97.89% <100.00%> (+0.01%)	⬆️
OS-Windows	95.62% <100.00%> (+0.03%)	⬆️
OS-macOS	97.16% <100.00%> (+0.02%)	⬆️
Py-3.10.11	96.69% <100.00%> (+0.02%)	⬆️
Py-3.10.19	97.17% <100.00%> (+0.02%)	⬆️
Py-3.11.14	97.41% <100.00%> (+0.01%)	⬆️
Py-3.11.9	96.93% <100.00%> (+0.02%)	⬆️
Py-3.12.10	97.02% <100.00%> (+0.03%)	⬆️
Py-3.12.12	97.50% <100.00%> (+0.02%)	⬆️
Py-3.13.11	97.50% <100.00%> (+0.02%)	⬆️
Py-3.13.12	97.00% <100.00%> (+0.02%)	⬆️
Py-3.14.2	97.45% <100.00%> (+0.02%)	⬆️
Py-3.14.3	96.96% <100.00%> (+0.03%)	⬆️
Py-3.14.3t	96.78% <100.00%> (+0.01%)	⬆️
Py-pypy3.11.13-7.3.20	96.93% <100.00%> (+0.01%)	⬆️
VM-macos	97.16% <100.00%> (+0.02%)	⬆️
VM-ubuntu	97.89% <100.00%> (+0.01%)	⬆️
VM-windows	95.62% <100.00%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

Merging this PR will not alter performance

✅ 59 untouched benchmarks

---

_{Comparing patchback/backports/3.14/8a631e74c1d266499dbc6bcdbc83c60f4ea3ee3c/pr-12091 (231eccb) with 3.14 (4f12a66)}