!108 [sync] PR-104: fix CVE-2024-37891

From: @openeuler-sync-bot Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2024-07-16 09:12:46 +00:00 · 2024-07-16 09:12:46 +00:00 · 428794e8c7
commit 428794e8c7
parent 907cd76381 73ccd2269b
2 changed files with 81 additions and 1 deletions
--- a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
+++ b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
@ -0,0 +1,72 @@
 From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
 From: Quentin Pradet <quentin.pradet@gmail.com>
 Date: Mon, 17 Jun 2024 11:09:06 +0400
 Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
 * Strip Proxy-Authorization header on redirects
 * Fix test_retry_default_remove_headers_on_redirect
 * Set release date
 Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified
 because it has been deleted in the pre-phase of the spec file
 Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
 ---
 CHANGES.rst               | 5 +++++
 src/urllib3/util/retry.py | 4 +++-
 test/test_retry.py        | 6 +++++-
 3 files changed, 13 insertions(+), 2 deletions(-)
 diff --git a/CHANGES.rst b/CHANGES.rst
 index 3a0a4f0..eba0814 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
@@ -1,6 +1,11 @@
 Changes
 =======
 +2.2.2 (2024-06-17)
 +==================
 +
 +- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
 +
 1.26.18 (2023-10-17)
 --------------------
 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 index 60ef6c4..9a1e90d 100644
 --- a/src/urllib3/util/retry.py
 +++ b/src/urllib3/util/retry.py
@@ -235,7 +235,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
 +        ["Cookie", "Authorization", "Proxy-Authorization"]
 +    )
     #: Maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
 diff --git a/test/test_retry.py b/test/test_retry.py
 index 6475f2a..a0463e4 100644
 --- a/test/test_retry.py
 +++ b/test/test_retry.py
@@ -296,7 +296,11 @@ class TestRetry(object):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 -        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 +        assert retry.remove_headers_on_redirect == {
 +            "authorization",
 +            "proxy-authorization",
 +            "cookie",
 +        }
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
 -- 
 2.33.0
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@ -3,7 +3,7 @@
 Name:           python-%{srcname}
 Version:        1.26.18
-Release:        1
+Release:        2
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@ -12,6 +12,8 @@ Source1:        ssl_match_hostname_py3.py
 Patch0001:      remove_mock.patch
 Patch6000:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 BuildArch:      noarch
 %description 
@ -76,6 +78,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 %changelog
 * Tue Jun 25 2024 chengyechun <chengyechun1@huawei.com> - 1.26.18-2
 - Type:CVE
 - CVE:CVE-2024-37891
 - SUG:NA
 - DESC:fix CVE-2024-37891 Strip Proxy-Authorizatioin header on redirects
 * Tue Feb 06 2024 chengyechun <chengyechun1@huawei.com> - 1.26.18-1
 - Type:enhancement
 - ID:NA