packages/python-urllib3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:428794e8c771f7694d2dc05b4114292a9120bfac
Branches Tags
packages:main
..
compare: packages:eef5fb603223b17e3ed6add20362347efae31d49
Branches Tags
packages:main

No commits in common. "428794e8c771f7694d2dc05b4114292a9120bfac" and "eef5fb603223b17e3ed6add20362347efae31d49" have entirely different histories.
428794e8c7 ... eef5fb6032

5 changed files with 96 additions and 103 deletions
Show Stats Expand all files Collapse all files

BIN
1.26.16.tar.gz Normal file
View File

Binary file not shown.

BIN
1.26.18.tar.gz
View File

Binary file not shown.

93
backport-CVE-2021-28363.patch Normal file
View File

@ -0,0 +1,93 @@
From 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 Mon Sep 17 00:00:00 2001
From: Jorge <JALopezSilva@gmail.com>
Date: Mon, 15 Mar 2021 06:49:49 -0700
Subject: [PATCH] Merge pull request from GHSA-5phf-pp7p-vc2r
* Enable hostname verification for HTTPS proxies with default cert.
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
* Adjust exception check for Python 3.9+
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
* Use a SAN instead of a common name.
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
---
src/urllib3/connection.py | 4 ++++
test/conftest.py | 11 ++++++++++
.../test_proxy_poolmanager.py | 20 +++++++++++++++++++
3 files changed, 35 insertions(+)
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
index 60f70f7..f59f29b 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -495,6 +495,10 @@ class HTTPSConnection(HTTPConnection):
self.ca_cert_dir,
self.ca_cert_data,
)
+ # By default urllib3's SSLContext disables `check_hostname` and uses
+ # a custom check. For proxies we're good with relying on the default
+ # verification.
+ ssl_context.check_hostname = True
# If no cert was provided, use only the default options for server
# certificate validation
diff --git a/test/conftest.py b/test/conftest.py
index 10c3a54..d4bbd97 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -103,6 +103,17 @@ def no_san_server(tmp_path_factory):
yield cfg
+@pytest.fixture
+def no_localhost_san_server(tmp_path_factory):
+ tmpdir = tmp_path_factory.mktemp("certs")
+ ca = trustme.CA()
+ # non localhost common name
+ server_cert = ca.issue_cert(u"example.com")
+
+ with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg:
+ yield cfg
+
+
@pytest.fixture
def no_san_proxy(tmp_path_factory):
tmpdir = tmp_path_factory.mktemp("certs")
diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
index d5e91a0..0f8df60 100644
--- a/test/with_dummyserver/test_proxy_poolmanager.py
+++ b/test/with_dummyserver/test_proxy_poolmanager.py
@@ -565,6 +565,26 @@ class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase):
r = http.request("GET", "%s/" % self.https_url)
assert r.status == 200
+class TestHTTPSProxyVerification:
+ @onlyPy3
+ def test_https_proxy_hostname_verification(self, no_localhost_san_server):
+ bad_server = no_localhost_san_server
+ bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port)
+
+ # An exception will be raised before we contact the destination domain.
+ test_url = "testing.com"
+ with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https:
+ with pytest.raises(MaxRetryError) as e:
+ https.request("GET", "http://%s/" % test_url)
+ assert isinstance(e.value.reason, SSLError)
+ assert "hostname 'localhost' doesn't match" in str(e.value.reason)
+
+ with pytest.raises(MaxRetryError) as e:
+ https.request("GET", "https://%s/" % test_url)
+ assert isinstance(e.value.reason, SSLError)
+ assert "hostname 'localhost' doesn't match" in str(
+ e.value.reason
+ ) or "Hostname mismatch" in str(e.value.reason)
class TestHTTPSProxyVerification:
@onlyPy3
--
2.27.0

72
backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
View File

@ -1,72 +0,0 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
* Fix test_retry_default_remove_headers_on_redirect
* Set release date
Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified
because it has been deleted in the pre-phase of the spec file
Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
---
CHANGES.rst | 5 +++++
src/urllib3/util/retry.py | 4 +++-
test/test_retry.py | 6 +++++-
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/CHANGES.rst b/CHANGES.rst
index 3a0a4f0..eba0814 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,11 @@
Changes
=======
+2.2.2 (2024-06-17)
+==================
+
+- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
+
1.26.18 (2023-10-17)
--------------------
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 60ef6c4..9a1e90d 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -235,7 +235,9 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index 6475f2a..a0463e4 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -296,7 +296,11 @@ class TestRetry(object):
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ assert retry.remove_headers_on_redirect == {
+ "authorization",
+ "proxy-authorization",
+ "cookie",
+ }
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
--
2.33.0

34
python-urllib3.spec
View File

@ -2,8 +2,8 @@
%bcond_without tests
Name: python-%{srcname}
Version: 1.26.18
Release: 2
Version: 1.26.16
Release: 1
Summary: Sanity-friendly HTTP client for Python
License: MIT
URL: https://urllib3.readthedocs.io
@ -11,8 +11,7 @@ Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.
Source1: ssl_match_hostname_py3.py
Patch0001: remove_mock.patch
Patch6000: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
Patch6000: backport-CVE-2021-28363.patch
BuildArch: noarch
@ -78,33 +77,6 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
%{python3_sitelib}/urllib3-*.egg-info
%changelog
* Tue Jun 25 2024 chengyechun <chengyechun1@huawei.com> - 1.26.18-2
- Type:CVE
- CVE:CVE-2024-37891
- SUG:NA
- DESC:fix CVE-2024-37891 Strip Proxy-Authorizatioin header on redirects
* Tue Feb 06 2024 chengyechun <chengyechun1@huawei.com> - 1.26.18-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:update python-urllib3 to version 1.26.18
* Tue Oct 31 2023 chengyechun <chengyechun1@huawei.com> - 1.26.17-2
- Type:CVE
- ID:CVE-2023-45803
- SUG:NA
- DESC:fix CVE-2023-45803 Made body stripped form HTTP requests
* Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 1.26.17-1
- Update to version 1.26.17 to fix CVE-2023-43804
* Tue Aug 01 2023 chengyechun <chengyechun1@huawei.com> - 1.26.16-2
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:delete the unnecessary patch
* Mon Jul 31 2023 chengyechun <chengyechun1@huawei.com> - 1.26.16-1
- Type:enhancement
- CVE:NA