packages/python-urllib3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-28363

Browse Source
This commit is contained in:
shirely16 2021-06-01 12:22:35 +08:00
parent 640de4e3da
commit d04fbc38ae
2 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
backport-CVE-2021-28363.patch Normal file
View File

@ -0,0 +1,89 @@
From 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 Mon Sep 17 00:00:00 2001
From: Jorge <JALopezSilva@gmail.com>
Date: Mon, 15 Mar 2021 06:49:49 -0700
Subject: [PATCH] Merge pull request from GHSA-5phf-pp7p-vc2r
* Enable hostname verification for HTTPS proxies with default cert.
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
* Adjust exception check for Python 3.9+
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
* Use a SAN instead of a common name.
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
---
src/urllib3/connection.py | 4 ++++
test/conftest.py | 11 ++++++++++
.../test_proxy_poolmanager.py | 22 +++++++++++++++++++
3 files changed, 37 insertions(+)
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
index 9066e6ade4..45580b7e1e 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -490,6 +490,10 @@ def _connect_tls_proxy(self, hostname, conn):
self.ca_cert_dir,
self.ca_cert_data,
)
+ # By default urllib3's SSLContext disables `check_hostname` and uses
+ # a custom check. For proxies we're good with relying on the default
+ # verification.
+ ssl_context.check_hostname = True
# If no cert was provided, use only the default options for server
# certificate validation
diff --git a/test/conftest.py b/test/conftest.py
index ff8e463186..96c9b2b5bc 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -64,6 +64,17 @@ def no_san_server(tmp_path_factory):
yield cfg
+@pytest.fixture
+def no_localhost_san_server(tmp_path_factory):
+ tmpdir = tmp_path_factory.mktemp("certs")
+ ca = trustme.CA()
+ # non localhost common name
+ server_cert = ca.issue_cert(u"example.com")
+
+ with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg:
+ yield cfg
+
+
@pytest.fixture
def ip_san_server(tmp_path_factory):
tmpdir = tmp_path_factory.mktemp("certs")
diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
index 737e5f7afa..c1535bd087 100644
--- a/test/with_dummyserver/test_proxy_poolmanager.py
+++ b/test/with_dummyserver/test_proxy_poolmanager.py
@@ -543,3 +543,25 @@ def test_basic_ipv6_proxy(self):
r = http.request("GET", "%s/" % self.https_url)
assert r.status == 200
+
+
+class TestHTTPSProxyVerification:
+ @onlyPy3
+ def test_https_proxy_hostname_verification(self, no_localhost_san_server):
+ bad_server = no_localhost_san_server
+ bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port)
+
+ # An exception will be raised before we contact the destination domain.
+ test_url = "testing.com"
+ with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https:
+ with pytest.raises(MaxRetryError) as e:
+ https.request("GET", "http://%s/" % test_url)
+ assert isinstance(e.value.reason, SSLError)
+ assert "hostname 'localhost' doesn't match" in str(e.value.reason)
+
+ with pytest.raises(MaxRetryError) as e:
+ https.request("GET", "https://%s/" % test_url)
+ assert isinstance(e.value.reason, SSLError)
+ assert "hostname 'localhost' doesn't match" in str(
+ e.value.reason
+ ) or "Hostname mismatch" in str(e.value.reason)

6
python-urllib3.spec
View File

@ -3,7 +3,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 1.26.3 Version: 1.26.3
Release: 1 Release: 2
Summary: Sanity-friendly HTTP client for Python Summary: Sanity-friendly HTTP client for Python
License: MIT License: MIT
URL: https://urllib3.readthedocs.io URL: https://urllib3.readthedocs.io
@ -11,6 +11,7 @@ Source0: https://github.com/urllib3/urllib3/archive/%{version}/%{version}
Source1: ssl_match_hostname_py3.py Source1: ssl_match_hostname_py3.py
Patch0001: remove_mock.patch Patch0001: remove_mock.patch
Patch6000: backport-CVE-2021-28363.patch
BuildArch: noarch BuildArch: noarch
@ -72,6 +73,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
%{python3_sitelib}/urllib3-*.egg-info %{python3_sitelib}/urllib3-*.egg-info
%changelog %changelog
* Tue Jun 1 2021 hanhui <hanhui15@huawei.com> - 1.26.3-2
- fix CVE-2021-28363
* Wed Feb 3 2021 chengguipeng <chengguipeng@huawei.com> - 1.26.3-1 * Wed Feb 3 2021 chengguipeng <chengguipeng@huawei.com> - 1.26.3-1
- upgrade to 1.26.3 - upgrade to 1.26.3