packages/python-pip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b0102e0faf1621667a015d52449f0adfa5c8afc8
Branches Tags
packages:main
..
compare: packages:3deead64956bba7a12f3030bf0798df0442a2ced
Branches Tags
packages:main

No commits in common. "b0102e0faf1621667a015d52449f0adfa5c8afc8" and "3deead64956bba7a12f3030bf0798df0442a2ced" have entirely different histories.
b0102e0faf ... 3deead6495

6 changed files with 2 additions and 190 deletions
Show Stats Expand all files Collapse all files

99
backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
View File

@ -1,99 +0,0 @@
From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Tue, 17 Oct 2023 19:35:39 +0300
Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
Conflict:Files dummyserver/handlers.py, test/with_dummyserver/test_connectionpool.py
and test/with_dummyserver/test_poolmanager.py do not exist. Therefore, no dummy server
and test case is involved.
Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
---
src/pip/_vendor/urllib3/_collections.py | 18 ++++++++++++++++++
src/pip/_vendor/urllib3/connectionpool.py | 5 +++++
src/pip/_vendor/urllib3/poolmanager.py | 7 +++++--
3 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
index da9857e..bceb845 100644
--- a/src/pip/_vendor/urllib3/_collections.py
+++ b/src/pip/_vendor/urllib3/_collections.py
@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
else:
return vals[1:]
+ def _prepare_for_method_change(self):
+ """
+ Remove content-specific header fields before changing the request
+ method to GET or HEAD according to RFC 9110, Section 15.4.
+ """
+ content_specific_headers = [
+ "Content-Encoding",
+ "Content-Language",
+ "Content-Location",
+ "Content-Type",
+ "Content-Length",
+ "Digest",
+ "Last-Modified",
+ ]
+ for header in content_specific_headers:
+ self.discard(header)
+ return self
+
# Backwards compatibility for httplib
getheaders = getlist
getallmatchingheaders = getlist
diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
index 96844d9..5a6adcb 100644
--- a/src/pip/_vendor/urllib3/connectionpool.py
+++ b/src/pip/_vendor/urllib3/connectionpool.py
@@ -9,6 +9,7 @@ import warnings
from socket import error as SocketError
from socket import timeout as SocketTimeout
+from ._collections import HTTPHeaderDict
from .connection import (
BaseSSLError,
BrokenPipeError,
@@ -843,7 +844,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
redirect_location = redirect and response.get_redirect_location()
if redirect_location:
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ body = None
+ headers = HTTPHeaderDict(headers)._prepare_for_method_change()
try:
retries = retries.increment(method, url, response=response, _pool=self)
diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
index 14b10da..fb51bf7 100644
--- a/src/pip/_vendor/urllib3/poolmanager.py
+++ b/src/pip/_vendor/urllib3/poolmanager.py
@@ -4,7 +4,7 @@ import collections
import functools
import logging
-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
from .exceptions import (
LocationValueError,
@@ -382,9 +382,12 @@ class PoolManager(RequestMethods):
# Support relative URLs for redirecting.
redirect_location = urljoin(url, redirect_location)
- # RFC 7231, Section 6.4.4
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ kw["body"] = None
+ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
retries = kw.get("retries")
if not isinstance(retries, Retry):
--
2.26.2.windows.1

33
backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
View File

@ -1,33 +0,0 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
Conflict:Files test/test_retry.py and test/with_dummyserver/test_poolmanager.py do not
exist. Therefore, no test case is involved.
Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
---
src/pip/_vendor/urllib3/util/retry.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
index 60ef6c4..9a1e90d 100644
--- a/src/pip/_vendor/urllib3/util/retry.py
+++ b/src/pip/_vendor/urllib3/util/retry.py
@@ -235,7 +235,9 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
--
2.26.2.windows.1

BIN
pip-23.1.2.tar.gz Normal file
View File

Binary file not shown.

BIN
pip-23.3.1.tar.gz
View File

Binary file not shown.

8
pip.loongarch.conf
View File

@ -1,8 +0,0 @@
[global]
timeout = 60
index-url = https://lpypi.loongnix.cn/loongson/pypi
extra-index-url = https://pypi.org/simple
[install]
trusted-host =
pypi.loongnix.cn
pypi.org

52
python-pip.spec
View File

@ -5,18 +5,15 @@
pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes.
%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
Name: python-%{srcname} Name: python-%{srcname}
Version: 23.3.1 Version: 23.1.2
Release: 3 Release: 1
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
URL: http://www.pip-installer.org URL: http://www.pip-installer.org
Source0: %{pypi_source} Source0: %{pypi_source}
Source1: pip.loongarch.conf
BuildArch: noarch BuildArch: noarch
Patch1: remove-existing-dist-only-if-path-conflicts.patch Patch1: remove-existing-dist-only-if-path-conflicts.patch
Patch6000: dummy-certifi.patch Patch6000: dummy-certifi.patch
Patch6001: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
Patch6002: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
Source10: pip-allow-older-versions.patch Source10: pip-allow-older-versions.patch
@ -106,16 +103,9 @@ rm %{buildroot}%{python3_sitelib}/pip-%{version}.dist-info/RECORD
mkdir -p %{buildroot}%{python_wheeldir} mkdir -p %{buildroot}%{python_wheeldir}
install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir} install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
# Set default pip mirror via pip.conf
%ifarch loongarch64
install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
%endif
%files -n python%{python3_pkgversion}-%{srcname} %files -n python%{python3_pkgversion}-%{srcname}
%license LICENSE.txt %license LICENSE.txt
%ifarch loongarch64
%config(noreplace) %{_sysconfdir}/pip.conf
%endif
%{_bindir}/pip %{_bindir}/pip
%{_bindir}/pip3 %{_bindir}/pip3
%{_bindir}/pip-3* %{_bindir}/pip-3*
@ -134,44 +124,6 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
%{python_wheeldir}/%{python_wheelname} %{python_wheeldir}/%{python_wheelname}
%changelog %changelog
* Mon Mar 31 2025 Wenlong Zhang <zhangwenlong@loongson.cn> - 23.3.1-3
- change the index-url for loongarch64
* Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 23.3.1-2
- Fix CVE-2023-45803 and CVE-2024-37891
* Wed Jan 31 2024 gengqihu <gengqihu2@h-partners.com> - 23.3.1-1
- update version to 23.3.1
- Fix parallel pip cache downloads causing crash (#12364)
- Upgrade urllib3 to 1.26.17 (#12343)
- Fix zsh completion script (#12173)
- Fix #12166
- Move the setuptools settings into pyproject.toml
- Use `-r=...` instead of `-r ...` for hg
- Drop isort and flake8 settings from setup.cfg
- Follow imports for more vendored dependencies
- Enable mypy's strict equality checks (#12209)
- Fixed argument name in docstring
- Allow truststore to not import on Python 3.9 and earlier
- Vendor truststore
- Fix formatting, combine numbers not strings!
- Remove uses of `utcnow` in non-vendored code (#12006)
- Fix issues raised in code review
- move test_download_metadata mock pypi index utilities to conftest.py
- Use strict optional checking in req_install.py (#11379)
- Fix 'force' remove file without write permissions
- Dropped unused attribute
- Fix Pytest --use-venv init
- Limit the double download fix to wheels
- Fix slowness on Python 3.11 when updating an existing large environment.
- Fix `pip completion --zsh`
* Fri Sep 08 2023 zhuofeng <zhuofeng2@huawei.com> - 23.1.2-3
- fix that pip install failed
* Sun Jul 30 2023 Funda Wang <fundawang@yeah.net> - 23.1.2-2
- Use local mirrors for pip
* Fri Jun 9 2023 dillon chen <dillon.chen@gmail.com> - 23.1.2-1 * Fri Jun 9 2023 dillon chen <dillon.chen@gmail.com> - 23.1.2-1
- upgrade version to 23.1.2 - upgrade version to 23.1.2