fix CVE-2023-45803 and CVE-2024-37891

2024-07-13 16:52:51 +08:00 · 2024-07-13 16:52:51 +08:00 · 4e6d7b5935
commit 4e6d7b5935
parent 3d56052632
3 changed files with 138 additions and 1 deletions
--- a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
@ -0,0 +1,99 @@
 From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
 From: Illia Volochii <illia.volochii@gmail.com>
 Date: Tue, 17 Oct 2023 19:35:39 +0300
 Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
 Conflict:Files dummyserver/handlers.py, test/with_dummyserver/test_connectionpool.py
 and test/with_dummyserver/test_poolmanager.py do not exist. Therefore, no dummy server
 and test case is involved.
 Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
 ---
 src/pip/_vendor/urllib3/_collections.py   | 18 ++++++++++++++++++
 src/pip/_vendor/urllib3/connectionpool.py |  5 +++++
 src/pip/_vendor/urllib3/poolmanager.py    |  7 +++++--
 3 files changed, 28 insertions(+), 2 deletions(-)
 diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
 index da9857e..bceb845 100644
 --- a/src/pip/_vendor/urllib3/_collections.py
 +++ b/src/pip/_vendor/urllib3/_collections.py
@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
         else:
             return vals[1:]
 +    def _prepare_for_method_change(self):
 +        """
 +        Remove content-specific header fields before changing the request
 +        method to GET or HEAD according to RFC 9110, Section 15.4.
 +        """
 +        content_specific_headers = [
 +            "Content-Encoding",
 +            "Content-Language",
 +            "Content-Location",
 +            "Content-Type",
 +            "Content-Length",
 +            "Digest",
 +            "Last-Modified",
 +        ]
 +        for header in content_specific_headers:
 +            self.discard(header)
 +        return self
 +
     # Backwards compatibility for httplib
     getheaders = getlist
     getallmatchingheaders = getlist
 diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
 index 96844d9..5a6adcb 100644
 --- a/src/pip/_vendor/urllib3/connectionpool.py
 +++ b/src/pip/_vendor/urllib3/connectionpool.py
@@ -9,6 +9,7 @@ import warnings
 from socket import error as SocketError
 from socket import timeout as SocketTimeout
 +from ._collections import HTTPHeaderDict
 from .connection import (
     BaseSSLError,
     BrokenPipeError,
@@ -843,7 +844,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
         redirect_location = redirect and response.get_redirect_location()
         if redirect_location:
             if response.status == 303:
 +                # Change the method according to RFC 9110, Section 15.4.4.
                 method = "GET"
 +                # And lose the body not to transfer anything sensitive.
 +                body = None
 +                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
             try:
                 retries = retries.increment(method, url, response=response, _pool=self)
 diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
 index 14b10da..fb51bf7 100644
 --- a/src/pip/_vendor/urllib3/poolmanager.py
 +++ b/src/pip/_vendor/urllib3/poolmanager.py
@@ -4,7 +4,7 @@ import collections
 import functools
 import logging
 -from ._collections import RecentlyUsedContainer
 +from ._collections import HTTPHeaderDict, RecentlyUsedContainer
 from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
 from .exceptions import (
     LocationValueError,
@@ -382,9 +382,12 @@ class PoolManager(RequestMethods):
         # Support relative URLs for redirecting.
         redirect_location = urljoin(url, redirect_location)
 -        # RFC 7231, Section 6.4.4
         if response.status == 303:
 +            # Change the method according to RFC 9110, Section 15.4.4.
             method = "GET"
 +            # And lose the body not to transfer anything sensitive.
 +            kw["body"] = None
 +            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
         retries = kw.get("retries")
         if not isinstance(retries, Retry):
 -- 
 2.26.2.windows.1
--- a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
+++ b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
@ -0,0 +1,33 @@
 From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
 From: Quentin Pradet <quentin.pradet@gmail.com>
 Date: Mon, 17 Jun 2024 11:09:06 +0400
 Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
 * Strip Proxy-Authorization header on redirects
 Conflict:Files test/test_retry.py and test/with_dummyserver/test_poolmanager.py do not
 exist. Therefore, no test case is involved.
 Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
 ---
 src/pip/_vendor/urllib3/util/retry.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
 index 60ef6c4..9a1e90d 100644
 --- a/src/pip/_vendor/urllib3/util/retry.py
 +++ b/src/pip/_vendor/urllib3/util/retry.py
@@ -235,7 +235,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
 +        ["Cookie", "Authorization", "Proxy-Authorization"]
 +    )
     #: Maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
 -- 
 2.26.2.windows.1
--- a/python-pip.spec
+++ b/python-pip.spec
@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        23.3.1
-Release:        1
+Release:        2
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@ -15,6 +15,8 @@ Source1:        pip.loongarch.conf
 BuildArch:      noarch
 Patch1:         remove-existing-dist-only-if-path-conflicts.patch
 Patch6000:      dummy-certifi.patch
 Patch6001:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
 Patch6002:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 Source10: 	pip-allow-older-versions.patch
@ -132,6 +134,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
 %{python_wheeldir}/%{python_wheelname}
 %changelog
 * Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 23.3.1-2
 - Fix CVE-2023-45803 and CVE-2024-37891
 * Wed Jan 31 2024 gengqihu <gengqihu2@h-partners.com> - 23.3.1-1
 - update version to 23.3.1
 - Fix parallel pip cache downloads causing crash (#12364)