!77 Delete unnecessary patches.
From: @chengyechun Reviewed-by: @robertxw Signed-off-by: @robertxw
This commit is contained in:
openeuler-ci-bot
Gitee
commit
1e7e884a98
@ -1,93 +0,0 @@
|
||||
From 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 Mon Sep 17 00:00:00 2001
|
||||
From: Jorge <JALopezSilva@gmail.com>
|
||||
Date: Mon, 15 Mar 2021 06:49:49 -0700
|
||||
Subject: [PATCH] Merge pull request from GHSA-5phf-pp7p-vc2r
|
||||
|
||||
* Enable hostname verification for HTTPS proxies with default cert.
|
||||
|
||||
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
|
||||
|
||||
* Adjust exception check for Python 3.9+
|
||||
|
||||
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
|
||||
|
||||
* Use a SAN instead of a common name.
|
||||
|
||||
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
|
||||
---
|
||||
src/urllib3/connection.py | 4 ++++
|
||||
test/conftest.py | 11 ++++++++++
|
||||
.../test_proxy_poolmanager.py | 20 +++++++++++++++++++
|
||||
3 files changed, 35 insertions(+)
|
||||
|
||||
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
|
||||
index 60f70f7..f59f29b 100644
|
||||
--- a/src/urllib3/connection.py
|
||||
+++ b/src/urllib3/connection.py
|
||||
@@ -495,6 +495,10 @@ class HTTPSConnection(HTTPConnection):
|
||||
self.ca_cert_dir,
|
||||
self.ca_cert_data,
|
||||
)
|
||||
+ # By default urllib3's SSLContext disables `check_hostname` and uses
|
||||
+ # a custom check. For proxies we're good with relying on the default
|
||||
+ # verification.
|
||||
+ ssl_context.check_hostname = True
|
||||
|
||||
# If no cert was provided, use only the default options for server
|
||||
# certificate validation
|
||||
diff --git a/test/conftest.py b/test/conftest.py
|
||||
index 10c3a54..d4bbd97 100644
|
||||
--- a/test/conftest.py
|
||||
+++ b/test/conftest.py
|
||||
@@ -103,6 +103,17 @@ def no_san_server(tmp_path_factory):
|
||||
yield cfg
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def no_localhost_san_server(tmp_path_factory):
|
||||
+ tmpdir = tmp_path_factory.mktemp("certs")
|
||||
+ ca = trustme.CA()
|
||||
+ # non localhost common name
|
||||
+ server_cert = ca.issue_cert(u"example.com")
|
||||
+
|
||||
+ with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg:
|
||||
+ yield cfg
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def no_san_proxy(tmp_path_factory):
|
||||
tmpdir = tmp_path_factory.mktemp("certs")
|
||||
diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
|
||||
index d5e91a0..0f8df60 100644
|
||||
--- a/test/with_dummyserver/test_proxy_poolmanager.py
|
||||
+++ b/test/with_dummyserver/test_proxy_poolmanager.py
|
||||
@@ -565,6 +565,26 @@ class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase):
|
||||
r = http.request("GET", "%s/" % self.https_url)
|
||||
assert r.status == 200
|
||||
|
||||
+class TestHTTPSProxyVerification:
|
||||
+ @onlyPy3
|
||||
+ def test_https_proxy_hostname_verification(self, no_localhost_san_server):
|
||||
+ bad_server = no_localhost_san_server
|
||||
+ bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port)
|
||||
+
|
||||
+ # An exception will be raised before we contact the destination domain.
|
||||
+ test_url = "testing.com"
|
||||
+ with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https:
|
||||
+ with pytest.raises(MaxRetryError) as e:
|
||||
+ https.request("GET", "http://%s/" % test_url)
|
||||
+ assert isinstance(e.value.reason, SSLError)
|
||||
+ assert "hostname 'localhost' doesn't match" in str(e.value.reason)
|
||||
+
|
||||
+ with pytest.raises(MaxRetryError) as e:
|
||||
+ https.request("GET", "https://%s/" % test_url)
|
||||
+ assert isinstance(e.value.reason, SSLError)
|
||||
+ assert "hostname 'localhost' doesn't match" in str(
|
||||
+ e.value.reason
|
||||
+ ) or "Hostname mismatch" in str(e.value.reason)
|
||||
|
||||
class TestHTTPSProxyVerification:
|
||||
@onlyPy3
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 1.26.16
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: Sanity-friendly HTTP client for Python
|
||||
License: MIT
|
||||
URL: https://urllib3.readthedocs.io
|
||||
@ -11,7 +11,6 @@ Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.
|
||||
Source1: ssl_match_hostname_py3.py
|
||||
|
||||
Patch0001: remove_mock.patch
|
||||
Patch6000: backport-CVE-2021-28363.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -77,6 +76,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
|
||||
%{python3_sitelib}/urllib3-*.egg-info
|
||||
|
||||
%changelog
|
||||
* Tue Aug 01 2023 chengyechun <chengyechun1@huawei.com> - 1.26.16-2
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC:delete the unnecessary patch
|
||||
|
||||
* Mon Jul 31 2023 chengyechun <chengyechun1@huawei.com> - 1.26.16-1
|
||||
- Type:enhancement
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user