From 12a81548d592f9eca33e2ec591b6e9c5eb105bb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 15 Nov 2024 12:53:48 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 saltbundlepy-urllib3 revision cadb12ccb5fa1cc55fcc1ccd8e742bee --- CVE-2024-37891.patch | 154 ++++++++++++++++++++ no-strict-OpenSSL-1.1.1.patch | 30 ++++ openssl-3.2.patch | 34 ----- remove_mock.patch | 261 ---------------------------------- saltbundlepy-urllib3.changes | 102 +++++++++++++ saltbundlepy-urllib3.spec | 54 +++---- urllib3-1.26.18.tar.gz | 3 - urllib3-2.0.7.tar.gz | 3 + 8 files changed, 309 insertions(+), 332 deletions(-) create mode 100644 CVE-2024-37891.patch create mode 100644 no-strict-OpenSSL-1.1.1.patch delete mode 100644 openssl-3.2.patch delete mode 100644 remove_mock.patch delete mode 100644 urllib3-1.26.18.tar.gz create mode 100644 urllib3-2.0.7.tar.gz diff --git a/CVE-2024-37891.patch b/CVE-2024-37891.patch new file mode 100644 index 0000000..f5c3888 --- /dev/null +++ b/CVE-2024-37891.patch @@ -0,0 +1,154 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 ++++- + test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++--- + 4 files changed, 37 insertions(+), 5 deletions(-) + + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index f71e7acc9e..ac3ce4ca73 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None: + def test_retry_default_remove_headers_on_redirect(self) -> None: + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self) -> None: + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index 4fa9ec850a..af77241d6c 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None: + "GET", + f"{self.base_url}/redirect", + fields={"target": f"{self.base_url_alt}/headers"}, +- headers={"Authorization": "foo", "Cookie": "foo=bar"}, ++ headers={ ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + ) + + assert r.status == 200 +@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None: + data = r.json() + + assert "Authorization" not in data ++ assert "Proxy-Authorization" not in data + assert "Cookie" not in data + + r = http.request( + "GET", + f"{self.base_url}/redirect", + fields={"target": f"{self.base_url_alt}/headers"}, +- headers={"authorization": "foo", "cookie": "foo=bar"}, ++ headers={ ++ "authorization": "foo", ++ "proxy-authorization": "baz", ++ "cookie": "foo=bar", ++ }, + ) + + assert r.status == 200 +@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None: + + assert "authorization" not in data + assert "Authorization" not in data ++ assert "proxy-authorization" not in data ++ assert "Proxy-Authorization" not in data + assert "cookie" not in data + assert "Cookie" not in data + +@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None: + "GET", + f"{self.base_url}/redirect", + fields={"target": f"{self.base_url_alt}/headers"}, +- headers={"Authorization": "foo", "Cookie": "foo=bar"}, ++ headers={ ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + retries=Retry(remove_headers_on_redirect=[]), + ) + +@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None: + data = r.json() + + assert data["Authorization"] == "foo" ++ assert data["Proxy-Authorization"] == "bar" + assert data["Cookie"] == "foo=bar" + + def test_redirect_cross_host_set_removed_headers(self) -> None: +@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None: + headers={ + "X-API-Secret": "foo", + "Authorization": "bar", ++ "Proxy-Authorization": "baz", + "Cookie": "foo=bar", + }, + retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), +@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None: + + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Proxy-Authorization"] == "baz" + assert data["Cookie"] == "foo=bar" + + headers = { + "x-api-secret": "foo", + "authorization": "bar", ++ "proxy-authorization": "baz", + "cookie": "foo=bar", + } + r = http.request( +@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None: + assert "x-api-secret" not in data + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Proxy-Authorization"] == "baz" + assert data["Cookie"] == "foo=bar" + + # Ensure the header argument itself is not modified in-place. + assert headers == { + "x-api-secret": "foo", + "authorization": "bar", ++ "proxy-authorization": "baz", + "cookie": "foo=bar", + } + diff --git a/no-strict-OpenSSL-1.1.1.patch b/no-strict-OpenSSL-1.1.1.patch new file mode 100644 index 0000000..9bd8ffa --- /dev/null +++ b/no-strict-OpenSSL-1.1.1.patch @@ -0,0 +1,30 @@ +--- a/src/urllib3/__init__.py ++++ b/src/urllib3/__init__.py +@@ -22,27 +22,10 @@ + from .util.retry import Retry + from .util.timeout import Timeout + +-# Ensure that Python is compiled with OpenSSL 1.1.1+ +-# If the 'ssl' module isn't available at all that's +-# fine, we only care if the module is available. + try: + import ssl + except ImportError: + pass +-else: +- if not ssl.OPENSSL_VERSION.startswith("OpenSSL "): # Defensive: +- warnings.warn( +- "urllib3 v2.0 only supports OpenSSL 1.1.1+, currently " +- f"the 'ssl' module is compiled with {ssl.OPENSSL_VERSION!r}. " +- "See: https://github.com/urllib3/urllib3/issues/3020", +- exceptions.NotOpenSSLWarning, +- ) +- elif ssl.OPENSSL_VERSION_INFO < (1, 1, 1): # Defensive: +- raise ImportError( +- "urllib3 v2.0 only supports OpenSSL 1.1.1+, currently " +- f"the 'ssl' module is compiled with {ssl.OPENSSL_VERSION!r}. " +- "See: https://github.com/urllib3/urllib3/issues/2168" +- ) + + # === NOTE TO REPACKAGERS AND VENDORS === + # Please delete this block, this logic is only diff --git a/openssl-3.2.patch b/openssl-3.2.patch deleted file mode 100644 index 540c889..0000000 --- a/openssl-3.2.patch +++ /dev/null @@ -1,34 +0,0 @@ -Index: urllib3-1.26.18/changelog/3268.bugfix.rst -=================================================================== ---- /dev/null -+++ urllib3-1.26.18/changelog/3268.bugfix.rst -@@ -0,0 +1 @@ -+Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. -Index: urllib3-1.26.18/test/with_dummyserver/test_socketlevel.py -=================================================================== ---- urllib3-1.26.18.orig/test/with_dummyserver/test_socketlevel.py -+++ urllib3-1.26.18/test/with_dummyserver/test_socketlevel.py -@@ -1226,7 +1226,8 @@ class TestSSL(SocketDummyServerTestCase) - self._start_server(socket_handler) - with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool: - with pytest.raises( -- SSLError, match=r"(wrong version number|record overflow)" -+ SSLError, -+ match=r"(wrong version number|record overflow|record layer failure)", - ): - pool.request("GET", "/", retries=False) - -Index: urllib3-1.26.18/src/urllib3/connectionpool.py -=================================================================== ---- urllib3-1.26.18.orig/src/urllib3/connectionpool.py -+++ urllib3-1.26.18/src/urllib3/connectionpool.py -@@ -768,7 +768,8 @@ class HTTPConnectionPool(ConnectionPool, - # so we try to cover our bases here! - message = " ".join(re.split("[^a-z]", str(ssl_error).lower())) - return ( -- "wrong version number" in message or "unknown protocol" in message -+ "wrong version number" in message or "unknown protocol" in message or "record layer failure" in message -+ - ) - - # Try to detect a common user error with proxies which is to diff --git a/remove_mock.patch b/remove_mock.patch deleted file mode 100644 index ecd28b3..0000000 --- a/remove_mock.patch +++ /dev/null @@ -1,261 +0,0 @@ -Index: urllib3-1.26.16/docs/conf.py -=================================================================== ---- urllib3-1.26.16.orig/docs/conf.py -+++ urllib3-1.26.16/docs/conf.py -@@ -14,7 +14,10 @@ sys.path.insert(0, root_path) - # Mock some expensive/platform-specific modules so build will work. - # (https://read-the-docs.readthedocs.io/en/latest/faq.html#\ - # i-get-import-errors-on-libraries-that-depend-on-c-modules) --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - - - class MockModule(mock.Mock): -Index: urllib3-1.26.16/test/contrib/test_pyopenssl.py -=================================================================== ---- urllib3-1.26.16.orig/test/contrib/test_pyopenssl.py -+++ urllib3-1.26.16/test/contrib/test_pyopenssl.py -@@ -1,7 +1,10 @@ - # -*- coding: utf-8 -*- - import os - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - try: -Index: urllib3-1.26.16/test/contrib/test_pyopenssl_dependencies.py -=================================================================== ---- urllib3-1.26.16.orig/test/contrib/test_pyopenssl_dependencies.py -+++ urllib3-1.26.16/test/contrib/test_pyopenssl_dependencies.py -@@ -1,6 +1,9 @@ - # -*- coding: utf-8 -*- - import pytest --from mock import Mock, patch -+try: -+ from unittest.mock import Mock, patch -+except ImportError: -+ from mock import Mock, patch - - try: - from urllib3.contrib.pyopenssl import extract_from_urllib3, inject_into_urllib3 -Index: urllib3-1.26.16/test/test_connection.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_connection.py -+++ urllib3-1.26.16/test/test_connection.py -@@ -1,6 +1,9 @@ - import datetime - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - from urllib3.connection import RECENT_DATE, CertificateError, _match_hostname -Index: urllib3-1.26.16/test/test_connectionpool.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_connectionpool.py -+++ urllib3-1.26.16/test/test_connectionpool.py -@@ -6,7 +6,10 @@ from ssl import SSLError as BaseSSLError - from test import SHORT_TIMEOUT - - import pytest --from mock import Mock -+try: -+ from unittest.mock import Mock -+except ImportError: -+ from mock import Mock - - from dummyserver.server import DEFAULT_CA - from urllib3._collections import HTTPHeaderDict -Index: urllib3-1.26.16/test/test_queue_monkeypatch.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_queue_monkeypatch.py -+++ urllib3-1.26.16/test/test_queue_monkeypatch.py -@@ -1,6 +1,9 @@ - from __future__ import absolute_import - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - from urllib3 import HTTPConnectionPool -Index: urllib3-1.26.16/test/test_response.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_response.py -+++ urllib3-1.26.16/test/test_response.py -@@ -9,7 +9,10 @@ from base64 import b64decode - from io import BufferedReader, BytesIO, TextIOWrapper - from test import onlyBrotlipy - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - import six - -Index: urllib3-1.26.16/test/test_retry.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_retry.py -+++ urllib3-1.26.16/test/test_retry.py -@@ -1,6 +1,9 @@ - import warnings - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - from urllib3.exceptions import ( -Index: urllib3-1.26.16/test/test_retry_deprecated.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_retry_deprecated.py -+++ urllib3-1.26.16/test/test_retry_deprecated.py -@@ -1,7 +1,10 @@ - # This is a copy-paste of test_retry.py with extra asserts about deprecated options. It will be removed for v2. - import warnings - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - from urllib3.exceptions import ( -Index: urllib3-1.26.16/test/test_ssl.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_ssl.py -+++ urllib3-1.26.16/test/test_ssl.py -@@ -1,6 +1,9 @@ - from test import notPyPy2 - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - from urllib3.exceptions import SNIMissingWarning -Index: urllib3-1.26.16/test/test_ssltransport.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_ssltransport.py -+++ urllib3-1.26.16/test/test_ssltransport.py -@@ -4,7 +4,10 @@ import socket - import ssl - import sys - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - - from dummyserver.server import DEFAULT_CA, DEFAULT_CERTS -Index: urllib3-1.26.16/test/test_util.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_util.py -+++ urllib3-1.26.16/test/test_util.py -@@ -9,7 +9,10 @@ from itertools import chain - from test import notBrotlipy, onlyBrotlipy, onlyPy2, onlyPy3 - - import pytest --from mock import Mock, patch -+try: -+ from unittest.mock import Mock, patch -+except ImportError: -+ from mock import Mock, patch - - from urllib3 import add_stderr_logger, disable_warnings, util - from urllib3.exceptions import ( -Index: urllib3-1.26.16/test/with_dummyserver/test_connectionpool.py -=================================================================== ---- urllib3-1.26.16.orig/test/with_dummyserver/test_connectionpool.py -+++ urllib3-1.26.16/test/with_dummyserver/test_connectionpool.py -@@ -12,7 +12,10 @@ import warnings - from test import LONG_TIMEOUT, SHORT_TIMEOUT, onlyPy2 - from threading import Event - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - import six - -Index: urllib3-1.26.16/test/with_dummyserver/test_https.py -=================================================================== ---- urllib3-1.26.16.orig/test/with_dummyserver/test_https.py -+++ urllib3-1.26.16/test/with_dummyserver/test_https.py -@@ -18,7 +18,10 @@ from test import ( - resolvesLocalhostFQDN, - ) - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - import trustme - -Index: urllib3-1.26.16/test/with_dummyserver/test_socketlevel.py -=================================================================== ---- urllib3-1.26.16.orig/test/with_dummyserver/test_socketlevel.py -+++ urllib3-1.26.16/test/with_dummyserver/test_socketlevel.py -@@ -54,7 +54,10 @@ from test import ( - ) - from threading import Event - --import mock -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - import pytest - import trustme - -Index: urllib3-1.26.16/test/test_poolmanager.py -=================================================================== ---- urllib3-1.26.16.orig/test/test_poolmanager.py -+++ urllib3-1.26.16/test/test_poolmanager.py -@@ -3,7 +3,11 @@ import socket - from test import resolvesLocalhostFQDN - - import pytest --from mock import patch -+ -+try: -+ import unittest.mock as mock -+except ImportError: -+ import mock - - from urllib3 import connection_from_url - from urllib3.exceptions import LocationValueError -@@ -361,7 +365,7 @@ class TestPoolManager(object): - "http://[a::b%25zone]", - ], - ) -- @patch("urllib3.util.connection.create_connection") -+ @mock.patch("urllib3.util.connection.create_connection") - def test_e2e_connect_to_ipv6_scoped(self, create_connection, url): - """Checks that IPv6 scoped addresses are properly handled end-to-end. - diff --git a/saltbundlepy-urllib3.changes b/saltbundlepy-urllib3.changes index bffa5ce..0540e4e 100644 --- a/saltbundlepy-urllib3.changes +++ b/saltbundlepy-urllib3.changes @@ -1,3 +1,105 @@ +------------------------------------------------------------------- +Fri Aug 23 08:31:44 UTC 2024 - Victor Zhestkov + +- Add CVE-2024-37891.patch (bsc#1226469, bsc#1229654) + +- Remove strict OpenSSL 1.1.1 version checking + +- Update to 2.0.7 (bsc#1216377, CVE-2023-45803): + * Made body stripped from HTTP requests changing the request method + to GET after HTTP 303 "See Other" redirect responses. + +- Update Buildrequires to upstream list. + +- Update to 2.0.6 (bsc#1215968, CVE-2023-43804): + * Added the Cookie header to the list of headers to strip from + requests when redirecting to a different host. As before, different + headers can be set via Retry.remove_headers_on_redirect + +- Update to 2.0.5: + * Allowed pyOpenSSL third-party module without any deprecation + warning. #3126 + * Fixed default blocksize of HTTPConnection classes to match + high-level classes. Previously was 8KiB, now 16KiB. #3066 + +- Update to 2.0.4: + * Added support for union operators to ``HTTPHeaderDict`` + * Added ``BaseHTTPResponse`` to ``urllib3.__all__`` (`#3078 + * Fixed ``urllib3.connection.HTTPConnection`` to raise the + ``http.client.connect`` audit event to have the same behavior + as the standard library HTTP client + * Relied on the standard library for checking hostnames in + supported PyPy releases + +- Disable test_deprecated_no_scheme so it needs network connection to + run correctly. + +- Update to 2.0.3: + * Allowed alternative SSL libraries such as LibreSSL, while + still issuing a warning as we cannot help users facing issues + with implementations other than OpenSSL. + * Deprecated URLs which don't have an explicit scheme + * Fixed response decoding with Zstandard when compressed data + is made of several frames. + * Fixed ``assert_hostname=False`` to correctly skip hostname + check. + +- Update to 2.0.2: + * Fixed ``HTTPResponse.stream()`` to continue yielding bytes if + buffered decompressed data was still available to be read + even if the underlying socket is closed. This prevents + a compressed response from being truncated. + +- Update to 2.0.1: + * Fixed a socket leak when fingerprint or hostname verifications fail. + * Fixed an error when HTTPResponse.read(0) was the first read call or when + the internal response body buffer was otherwise empty. + * Removed support for Python 2.7, 3.5, and 3.6. + * Removed fallback on certificate commonName in match_hostname() function. + * Removed support for Python with an ssl module compiled with LibreSSL, + CiscoSSL, wolfSSL, and all other OpenSSL alternatives. + * Removed support for OpenSSL versions earlier than 1.1.1. + * Removed urllib3.contrib.appengine.AppEngineManager and support for Google + App Engine Standard Environment. + * Changed ssl_version to instead set the corresponding + SSLContext.minimum_version and SSLContext.maximum_version values. + * Changed default SSLContext.minimum_version to be TLSVersion.TLSv1_2 + in line with Python 3.10. + * Changed urllib3.util.create_urllib3_context to not override the system + cipher suites with a default value. + * Changed multipart/form-data header parameter formatting matches the + WHATWG HTML Standard as of 2021-06-10. + * Changed HTTPConnection.request() to always use lowercase chunk boundaries + when sending requests with Transfer-Encoding: chunked. + * Changed enforce_content_length default to True, preventing silent data + loss when reading streamed responses. + * Changed all parameters in the HTTPConnection and HTTPSConnection + constructors to be keyword-only except host and port. + * Changed HTTPConnection.getresponse() to set the socket timeout from + HTTPConnection.timeout value before reading data from the socket. + * Changed name of Retry.BACK0FF_MAX to be Retry.DEFAULT_BACKOFF_MAX. + * Changed TLS handshakes to use SSLContext.check_hostname when possible. + * Changed the default blocksize to 16KB to match OpenSSL's default read + amounts. + * Changed HTTPResponse.read() to raise an error when calling with + decode_content=False after using decode_content=True to prevent data loss. + * Fixed thread-safety issue where accessing a PoolManager with many + distinct origins would cause connection pools to be closed while + requests are in progress. + * Fixed the default value of HTTPSConnection.socket_options to match + HTTPConnection. + * Fixed a socket leak if HTTPConnection.connect() fails. +- Drop patch remove_mock.patch, included upstream. +- Fiddle with {Build,}Requires as appropiate, six finally dropped. + +- Added: + * CVE-2024-37891.patch + * no-strict-OpenSSL-1.1.1.patch + +- Removed: + * openssl-3.2.patch + * remove_mock.patch + ------------------------------------------------------------------- Mon Mar 4 11:11:14 UTC 2024 - Victor Zhestkov diff --git a/saltbundlepy-urllib3.spec b/saltbundlepy-urllib3.spec index f0c826e..610d504 100644 --- a/saltbundlepy-urllib3.spec +++ b/saltbundlepy-urllib3.spec @@ -19,10 +19,6 @@ %{?!saltbundlepy_module:%define saltbundlepy_module() saltbundlepy-%{**}} %define pythons saltbundlepy -# Disable python bytecompile for all distros -# It's called explicitly in the spec -%global __brp_python_bytecompile %{nil} - %global flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "test" %define psuffix -test @@ -33,21 +29,21 @@ %endif Name: saltbundlepy-urllib3%{psuffix} -Version: 1.26.18 +Version: 2.0.7 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT Group: Development/Languages/Python URL: https://urllib3.readthedocs.org/ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz -# PATCH-FIX-UPSTREAM remove_mock.patch gh#urllib3/urllib3#2108 mcepl@suse.com -# remove dependency on the external module mock -Patch0: remove_mock.patch -# PATCH-FIX-UPSTREAM openssl-3.2.patch gh#urllib3/urllib3#3271 -Patch1: openssl-3.2.patch -BuildRequires: %{saltbundlepy_module base >= 3.10} -BuildRequires: %{saltbundlepy_module setuptools} -BuildRequires: %{saltbundlepy_module six} +# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Strip Proxy-Authorization header on redirects +Patch1: CVE-2024-37891.patch +# Avoid stict dependency on OpenSSL 1.1.1 +Patch2: no-strict-OpenSSL-1.1.1.patch +BuildRequires: saltbundlepy >= 3.11 +BuildRequires: %{saltbundlepy_module base >= 3.11} +BuildRequires: %{saltbundlepy_module hatchling} +BuildRequires: %{saltbundlepy_module pip} BuildRequires: fdupes BuildRequires: saltbundlepy-rpm-macros #!BuildIgnore: python-requests @@ -95,32 +91,18 @@ Highlights find . -type f -exec chmod a-x '{}' \; find . -name __pycache__ -type d -exec rm -fr {} + - -# Drop the dummyserver tests, they fail in OBS -rm test/with_dummyserver/test_proxy_poolmanager.py -rm test/with_dummyserver/test_poolmanager.py -# Don't run the Google App Engine tests -rm -r test/appengine/ +find . -type f -name '*.orig' -delete %build -%python_build +%pyproject_wheel %install %if !%{with test} -%python_install +%pyproject_install -%{python_expand # Unbundle six -rm %{buildroot}/%{$python_sitelib}/urllib3/packages/six.py -rm %{buildroot}/%{$python_sitelib}/urllib3/packages/__pycache__/six*.pyc +find %{buildroot} -type f -name '*.pyc' -exec touch {} \; -ln -s %{$python_sitelib}/six.py %{buildroot}/%{$python_sitelib}/urllib3/packages/six.py -ln -sf %{$python_sitelib}/__pycache__/six.cpython-%{$python_version_nodots}.opt-1.pyc \ - %{buildroot}/%{$python_sitelib}/urllib3/packages/__pycache__/ -ln -sf %{$python_sitelib}/__pycache__/six.cpython-%{$python_version_nodots}.pyc \ - %{buildroot}/%{$python_sitelib}/urllib3/packages/__pycache__/ - -%fdupes %{buildroot}%{$python_sitelib} -} +%python_expand %fdupes %{buildroot}%{$python_sitelib} %endif %if %{with test} @@ -135,13 +117,17 @@ skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or t skiplist+=" or test_recent_date" # too slow to run in obs (checks 2GiB of data) skiplist+=" or test_requesting_large_resources_via_ssl" -%pytest -k "not (${skiplist})" +# Try to access external evil.com +skiplist+=" or test_deprecated_no_scheme" +# DeprecationWarning('ssl.TLSVersion.TLSv1 is deprecated') is filtered upstream in pyproject.toml, but it somehow got through +skiplist+=" or TestHTTPS_TLSv1" +%pytest -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py %endif %if ! %{with test} %files %{python_files} %license LICENSE.txt -%doc CHANGES.rst README.rst +%doc CHANGES.rst README.md %{python_sitelib}/urllib3 %{python_sitelib}/urllib3-%{version}*-info %endif diff --git a/urllib3-1.26.18.tar.gz b/urllib3-1.26.18.tar.gz deleted file mode 100644 index 3789138..0000000 --- a/urllib3-1.26.18.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0 -size 305687 diff --git a/urllib3-2.0.7.tar.gz b/urllib3-2.0.7.tar.gz new file mode 100644 index 0000000..4c445e5 --- /dev/null +++ b/urllib3-2.0.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 +size 282546