!108 [sync] PR-104: fix CVE-2024-37891

From: @openeuler-sync-bot 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng

backport-CVE-2021-28363.patch

@@ -1,93 +0,0 @@
-From 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 Mon Sep 17 00:00:00 2001
-From: Jorge <JALopezSilva@gmail.com>
-Date: Mon, 15 Mar 2021 06:49:49 -0700
-Subject: [PATCH] Merge pull request from GHSA-5phf-pp7p-vc2r
-
-* Enable hostname verification for HTTPS proxies with default cert.
-
-Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
-
-* Adjust exception check for Python 3.9+
-
-Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
-
-* Use a SAN instead of a common name.
-
-Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
----
- src/urllib3/connection.py                     |  4 ++++
- test/conftest.py                              | 11 ++++++++++
- .../test_proxy_poolmanager.py                 | 20 +++++++++++++++++++
- 3 files changed, 35 insertions(+)
-
-diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
-index 60f70f7..f59f29b 100644
---- a/src/urllib3/connection.py
-+++ b/src/urllib3/connection.py
-@@ -495,6 +495,10 @@ class HTTPSConnection(HTTPConnection):
-             self.ca_cert_dir,
-             self.ca_cert_data,
-         )
-+        # By default urllib3's SSLContext disables `check_hostname` and uses
-+        # a custom check. For proxies we're good with relying on the default
-+        # verification.
-+        ssl_context.check_hostname = True
- 
-         # If no cert was provided, use only the default options for server
-         # certificate validation
-diff --git a/test/conftest.py b/test/conftest.py
-index 10c3a54..d4bbd97 100644
---- a/test/conftest.py
-+++ b/test/conftest.py
-@@ -103,6 +103,17 @@ def no_san_server(tmp_path_factory):
-         yield cfg
- 
- 
-+@pytest.fixture
-+def no_localhost_san_server(tmp_path_factory):
-+    tmpdir = tmp_path_factory.mktemp("certs")
-+    ca = trustme.CA()
-+    # non localhost common name
-+    server_cert = ca.issue_cert(u"example.com")
-+
-+    with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg:
-+        yield cfg
-+
-+
- @pytest.fixture
- def no_san_proxy(tmp_path_factory):
-     tmpdir = tmp_path_factory.mktemp("certs")
-diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
-index d5e91a0..0f8df60 100644
---- a/test/with_dummyserver/test_proxy_poolmanager.py
-+++ b/test/with_dummyserver/test_proxy_poolmanager.py
-@@ -565,6 +565,26 @@ class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase):
-             r = http.request("GET", "%s/" % self.https_url)
-             assert r.status == 200
- 
-+class TestHTTPSProxyVerification:
-+    @onlyPy3
-+    def test_https_proxy_hostname_verification(self, no_localhost_san_server):
-+        bad_server = no_localhost_san_server
-+        bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port)
-+
-+        # An exception will be raised before we contact the destination domain.
-+        test_url = "testing.com"
-+        with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https:
-+            with pytest.raises(MaxRetryError) as e:
-+                https.request("GET", "http://%s/" % test_url)
-+            assert isinstance(e.value.reason, SSLError)
-+            assert "hostname 'localhost' doesn't match" in str(e.value.reason)
-+
-+            with pytest.raises(MaxRetryError) as e:
-+                https.request("GET", "https://%s/" % test_url)
-+            assert isinstance(e.value.reason, SSLError)
-+            assert "hostname 'localhost' doesn't match" in str(
-+                e.value.reason
-+            ) or "Hostname mismatch" in str(e.value.reason)
- 
- class TestHTTPSProxyVerification:
-     @onlyPy3
--- 
-2.27.0
-

backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch

@@ -0,0 +1,72 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+
+Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified
+because it has been deleted in the pre-phase of the spec file
+Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
+
+---
+ CHANGES.rst               | 5 +++++
+ src/urllib3/util/retry.py | 4 +++-
+ test/test_retry.py        | 6 +++++-
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index 3a0a4f0..eba0814 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -1,6 +1,11 @@
+ Changes
+ =======
+ 
++2.2.2 (2024-06-17)
++==================
++
++- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
++
+ 1.26.18 (2023-10-17)
+ --------------------
+ 
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index 60ef6c4..9a1e90d 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -235,7 +235,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index 6475f2a..a0463e4 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -296,7 +296,11 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
++        assert retry.remove_headers_on_redirect == {
++            "authorization",
++            "proxy-authorization",
++            "cookie",
++        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+-- 
+2.33.0
+

python-urllib3.spec

@@ -2,8 +2,8 @@
 %bcond_without tests
 
 Name:           python-%{srcname}
-Version:        1.26.16
+Version:        1.26.18
-Release:        1
+Release:        2
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@@ -11,7 +11,8 @@ Source0:        https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.
 Source1:        ssl_match_hostname_py3.py
 
 Patch0001:      remove_mock.patch
-Patch6000:      backport-CVE-2021-28363.patch
+
+Patch6000:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 
 BuildArch:      noarch
 
@@ -77,6 +78,33 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 
 %changelog
+* Tue Jun 25 2024 chengyechun <chengyechun1@huawei.com> - 1.26.18-2
+- Type:CVE
+- CVE:CVE-2024-37891
+- SUG:NA
+- DESC:fix CVE-2024-37891 Strip Proxy-Authorizatioin header on redirects
+
+* Tue Feb 06 2024 chengyechun <chengyechun1@huawei.com> - 1.26.18-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:update python-urllib3 to version 1.26.18
+
+* Tue Oct 31 2023 chengyechun <chengyechun1@huawei.com> - 1.26.17-2
+- Type:CVE
+- ID:CVE-2023-45803
+- SUG:NA
+- DESC:fix CVE-2023-45803 Made body stripped form HTTP requests
+
+* Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 1.26.17-1
+- Update to version 1.26.17 to fix CVE-2023-43804
+
+* Tue Aug 01 2023 chengyechun <chengyechun1@huawei.com> - 1.26.16-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:delete the unnecessary patch
+
 * Mon Jul 31 2023 chengyechun <chengyechun1@huawei.com> - 1.26.16-1
 - Type:enhancement
 - CVE:NA