Sync from SUSE:SLFO:Main python-requests revision d5723f093571715396f02ff3a85daca5
This commit is contained in:
parent
278949fd7a
commit
aef936d7a7
126
inject-default-ca-bundles.patch
Normal file
126
inject-default-ca-bundles.patch
Normal file
@ -0,0 +1,126 @@
|
||||
From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
|
||||
From: Nate Prewitt <nate.prewitt@gmail.com>
|
||||
Date: Wed, 29 May 2024 12:48:48 -0700
|
||||
Subject: [PATCH 1/3] Consider cert settings when using default context
|
||||
|
||||
---
|
||||
src/requests/adapters.py | 26 ++++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/requests/adapters.py b/src/requests/adapters.py
|
||||
index 9a58b16025..991b7e21c9 100644
|
||||
--- a/src/requests/adapters.py
|
||||
+++ b/src/requests/adapters.py
|
||||
@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
|
||||
_preloaded_ssl_context = None
|
||||
|
||||
|
||||
+def _should_use_default_context(
|
||||
+ verify: "bool | str | None",
|
||||
+ client_cert: "typing.Tuple[str, str] | str | None",
|
||||
+ poolmanager_kwargs: typing.Dict[str, typing.Any],
|
||||
+) -> bool:
|
||||
+ # Determine if we have and should use our default SSLContext
|
||||
+ # to optimize performance on standard requests.
|
||||
+ has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
|
||||
+ should_use_default_ssl_context = (
|
||||
+ verify is True
|
||||
+ and _preloaded_ssl_context is not None
|
||||
+ and not has_poolmanager_ssl_context
|
||||
+ and client_cert is None
|
||||
+ )
|
||||
+ return should_use_default_ssl_context
|
||||
+
|
||||
+
|
||||
def _urllib3_request_context(
|
||||
request: "PreparedRequest",
|
||||
verify: "bool | str | None",
|
||||
@@ -98,19 +115,12 @@ def _urllib3_request_context(
|
||||
parsed_request_url = urlparse(request.url)
|
||||
scheme = parsed_request_url.scheme.lower()
|
||||
port = parsed_request_url.port
|
||||
-
|
||||
- # Determine if we have and should use our default SSLContext
|
||||
- # to optimize performance on standard requests.
|
||||
poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
|
||||
- has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
|
||||
- should_use_default_ssl_context = (
|
||||
- _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
|
||||
- )
|
||||
|
||||
cert_reqs = "CERT_REQUIRED"
|
||||
if verify is False:
|
||||
cert_reqs = "CERT_NONE"
|
||||
- elif verify is True and should_use_default_ssl_context:
|
||||
+ elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
|
||||
pool_kwargs["ssl_context"] = _preloaded_ssl_context
|
||||
elif isinstance(verify, str):
|
||||
if not os.path.isdir(verify):
|
||||
|
||||
From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
|
||||
From: Nate Prewitt <nate.prewitt@gmail.com>
|
||||
Date: Fri, 31 May 2024 11:41:48 -0700
|
||||
Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True
|
||||
|
||||
---
|
||||
src/requests/adapters.py | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/requests/adapters.py b/src/requests/adapters.py
|
||||
index 991b7e21c9..ba5a0ec4f0 100644
|
||||
--- a/src/requests/adapters.py
|
||||
+++ b/src/requests/adapters.py
|
||||
@@ -118,15 +118,23 @@ def _urllib3_request_context(
|
||||
poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
|
||||
|
||||
cert_reqs = "CERT_REQUIRED"
|
||||
+ cert_loc = None
|
||||
if verify is False:
|
||||
cert_reqs = "CERT_NONE"
|
||||
elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
|
||||
pool_kwargs["ssl_context"] = _preloaded_ssl_context
|
||||
+ elif verify is True:
|
||||
+ # Set default ca cert location if none provided
|
||||
+ cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
||||
elif isinstance(verify, str):
|
||||
- if not os.path.isdir(verify):
|
||||
- pool_kwargs["ca_certs"] = verify
|
||||
+ cert_loc = verify
|
||||
+
|
||||
+ if cert_loc is not None:
|
||||
+ if not os.path.isdir(cert_loc):
|
||||
+ pool_kwargs["ca_certs"] = cert_loc
|
||||
else:
|
||||
- pool_kwargs["ca_cert_dir"] = verify
|
||||
+ pool_kwargs["ca_cert_dir"] = cert_loc
|
||||
+
|
||||
pool_kwargs["cert_reqs"] = cert_reqs
|
||||
if client_cert is not None:
|
||||
if isinstance(client_cert, tuple) and len(client_cert) == 2:
|
||||
|
||||
From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
|
||||
From: Nate Prewitt <nate.prewitt@gmail.com>
|
||||
Date: Fri, 31 May 2024 12:20:11 -0700
|
||||
Subject: [PATCH 3/3] Correct comment to match actual behavior
|
||||
|
||||
---
|
||||
src/requests/adapters.py | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/requests/adapters.py b/src/requests/adapters.py
|
||||
index ba5a0ec4f0..54143f9e6b 100644
|
||||
--- a/src/requests/adapters.py
|
||||
+++ b/src/requests/adapters.py
|
||||
@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
|
||||
if url.lower().startswith("https") and verify:
|
||||
conn.cert_reqs = "CERT_REQUIRED"
|
||||
|
||||
- # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
|
||||
- # Otherwise, if verify is a boolean, we don't load anything since
|
||||
- # the connection will be using a context with the default certificates already loaded,
|
||||
- # and this avoids a call to the slow load_verify_locations()
|
||||
+ # Only load the CA certificates if `verify` is a
|
||||
+ # string indicating the CA bundle to use.
|
||||
if verify is not True:
|
||||
# `verify` must be a str with a path then
|
||||
cert_loc = verify
|
@ -1,23 +1,49 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
|
||||
|
||||
- Switch to pyproject macros.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 17 06:30:14 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
|
||||
|
||||
- Add patch inject-default-ca-bundles.patch:
|
||||
* Inject the default CA bundles if they are not specified.
|
||||
(bsc#1226321, bsc#1231500)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 29 03:17:43 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
|
||||
|
||||
- Remove Requires on python-py, it should have been removed earlier.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 6 19:38:03 UTC 2024 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 2.32.3:
|
||||
* Fixed bug breaking the ability to specify custom SSLContexts
|
||||
in sub-classes of HTTPAdapter.
|
||||
* Fixed issue where Requests started failing to run on Python
|
||||
versions compiled without the `ssl` module.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 22 14:00:50 UTC 2024 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
- Update to 2.32.2
|
||||
* To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0,
|
||||
we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing
|
||||
custom HTTPAdapters will need to migrate their code to use this new API. get_connection is
|
||||
* To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0,
|
||||
we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing
|
||||
custom HTTPAdapters will need to migrate their code to use this new API. get_connection is
|
||||
considered deprecated in all versions of Requests>=2.32.0.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 21 12:33:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
- Update to 2.32.1
|
||||
* Fixed an issue where setting verify=False on the first request from a Session
|
||||
will cause subsequent requests to the same origin to also ignore cert verification,
|
||||
* Fixed an issue where setting verify=False on the first request from a Session
|
||||
will cause subsequent requests to the same origin to also ignore cert verification,
|
||||
regardless of the value of verify. (bsc#1224788, CVE-2024-35195)
|
||||
* verify=True now reuses a global SSLContext which should improve request time
|
||||
* verify=True now reuses a global SSLContext which should improve request time
|
||||
variance between first and subsequent requests.
|
||||
* Requests now supports optional use of character detection (chardet or charset_normalizer)
|
||||
when repackaged or vendored. This enables pip and other projects to minimize their
|
||||
* Requests now supports optional use of character detection (chardet or charset_normalizer)
|
||||
when repackaged or vendored. This enables pip and other projects to minimize their
|
||||
vendoring surface area.
|
||||
* Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7.
|
||||
* Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling.
|
||||
|
@ -26,14 +26,18 @@
|
||||
%endif
|
||||
%{?sle15_python_module_pythons}
|
||||
Name: python-requests%{psuffix}
|
||||
Version: 2.32.2
|
||||
Version: 2.32.3
|
||||
Release: 0
|
||||
Summary: Python HTTP Library
|
||||
License: Apache-2.0
|
||||
URL: https://docs.python-requests.org/
|
||||
Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
|
||||
# PATCH-FIX-UPSTREAM gh#psf/requests#6731
|
||||
Patch0: inject-default-ca-bundles.patch
|
||||
BuildRequires: %{python_module base >= 3.7}
|
||||
BuildRequires: %{python_module pip}
|
||||
BuildRequires: %{python_module setuptools}
|
||||
BuildRequires: %{python_module wheel}
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: python-rpm-macros
|
||||
Requires: ca-certificates
|
||||
@ -41,7 +45,6 @@ Requires: python
|
||||
Requires: python-certifi >= 2017.4.17
|
||||
Requires: python-charset-normalizer >= 2.0.0
|
||||
Requires: python-idna >= 2.5
|
||||
Requires: python-py
|
||||
Requires: python-urllib3 >= 1.21.1
|
||||
BuildArch: noarch
|
||||
%if 0%{?_no_weakdeps}
|
||||
@ -94,11 +97,11 @@ Features of Requests:
|
||||
sed -i "s#\(httpbin.*\), 'never'#\1#" tests/test_requests.py
|
||||
|
||||
%build
|
||||
%python_build
|
||||
%pyproject_wheel
|
||||
|
||||
%install
|
||||
%if !%{with test}
|
||||
%python_install
|
||||
%pyproject_install
|
||||
# check that urllib3 is not installed
|
||||
test ! -e %{buildroot}%{python3_sitelib}/requests/packages/urllib3
|
||||
%python_expand %fdupes %{buildroot}%{$python_sitelib}
|
||||
@ -118,8 +121,8 @@ touch Pipfile
|
||||
%files %{python_files}
|
||||
%license LICENSE
|
||||
%doc HISTORY.md README.md
|
||||
%{python_sitelib}/requests/
|
||||
%{python_sitelib}/requests-*
|
||||
%{python_sitelib}/requests
|
||||
%{python_sitelib}/requests-%{version}.dist-info
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
|
BIN
requests-2.32.2.tar.gz
(Stored with Git LFS)
BIN
requests-2.32.2.tar.gz
(Stored with Git LFS)
Binary file not shown.
BIN
requests-2.32.3.tar.gz
(Stored with Git LFS)
Normal file
BIN
requests-2.32.3.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user