diff --git a/inject-default-ca-bundles.patch b/inject-default-ca-bundles.patch new file mode 100644 index 0000000..1c55016 --- /dev/null +++ b/inject-default-ca-bundles.patch @@ -0,0 +1,126 @@ +From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Wed, 29 May 2024 12:48:48 -0700 +Subject: [PATCH 1/3] Consider cert settings when using default context + +--- + src/requests/adapters.py | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/src/requests/adapters.py b/src/requests/adapters.py +index 9a58b16025..991b7e21c9 100644 +--- a/src/requests/adapters.py ++++ b/src/requests/adapters.py +@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs): + _preloaded_ssl_context = None + + ++def _should_use_default_context( ++ verify: "bool | str | None", ++ client_cert: "typing.Tuple[str, str] | str | None", ++ poolmanager_kwargs: typing.Dict[str, typing.Any], ++) -> bool: ++ # Determine if we have and should use our default SSLContext ++ # to optimize performance on standard requests. ++ has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context") ++ should_use_default_ssl_context = ( ++ verify is True ++ and _preloaded_ssl_context is not None ++ and not has_poolmanager_ssl_context ++ and client_cert is None ++ ) ++ return should_use_default_ssl_context ++ ++ + def _urllib3_request_context( + request: "PreparedRequest", + verify: "bool | str | None", +@@ -98,19 +115,12 @@ def _urllib3_request_context( + parsed_request_url = urlparse(request.url) + scheme = parsed_request_url.scheme.lower() + port = parsed_request_url.port +- +- # Determine if we have and should use our default SSLContext +- # to optimize performance on standard requests. + poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {}) +- has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context") +- should_use_default_ssl_context = ( +- _preloaded_ssl_context is not None and not has_poolmanager_ssl_context +- ) + + cert_reqs = "CERT_REQUIRED" + if verify is False: + cert_reqs = "CERT_NONE" +- elif verify is True and should_use_default_ssl_context: ++ elif _should_use_default_context(verify, client_cert, poolmanager_kwargs): + pool_kwargs["ssl_context"] = _preloaded_ssl_context + elif isinstance(verify, str): + if not os.path.isdir(verify): + +From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Fri, 31 May 2024 11:41:48 -0700 +Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True + +--- + src/requests/adapters.py | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/requests/adapters.py b/src/requests/adapters.py +index 991b7e21c9..ba5a0ec4f0 100644 +--- a/src/requests/adapters.py ++++ b/src/requests/adapters.py +@@ -118,15 +118,23 @@ def _urllib3_request_context( + poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {}) + + cert_reqs = "CERT_REQUIRED" ++ cert_loc = None + if verify is False: + cert_reqs = "CERT_NONE" + elif _should_use_default_context(verify, client_cert, poolmanager_kwargs): + pool_kwargs["ssl_context"] = _preloaded_ssl_context ++ elif verify is True: ++ # Set default ca cert location if none provided ++ cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) + elif isinstance(verify, str): +- if not os.path.isdir(verify): +- pool_kwargs["ca_certs"] = verify ++ cert_loc = verify ++ ++ if cert_loc is not None: ++ if not os.path.isdir(cert_loc): ++ pool_kwargs["ca_certs"] = cert_loc + else: +- pool_kwargs["ca_cert_dir"] = verify ++ pool_kwargs["ca_cert_dir"] = cert_loc ++ + pool_kwargs["cert_reqs"] = cert_reqs + if client_cert is not None: + if isinstance(client_cert, tuple) and len(client_cert) == 2: + +From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Fri, 31 May 2024 12:20:11 -0700 +Subject: [PATCH 3/3] Correct comment to match actual behavior + +--- + src/requests/adapters.py | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/requests/adapters.py b/src/requests/adapters.py +index ba5a0ec4f0..54143f9e6b 100644 +--- a/src/requests/adapters.py ++++ b/src/requests/adapters.py +@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert): + if url.lower().startswith("https") and verify: + conn.cert_reqs = "CERT_REQUIRED" + +- # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use. +- # Otherwise, if verify is a boolean, we don't load anything since +- # the connection will be using a context with the default certificates already loaded, +- # and this avoids a call to the slow load_verify_locations() ++ # Only load the CA certificates if `verify` is a ++ # string indicating the CA bundle to use. + if verify is not True: + # `verify` must be a str with a path then + cert_loc = verify diff --git a/python-requests.changes b/python-requests.changes index e9d3cb7..52d6729 100644 --- a/python-requests.changes +++ b/python-requests.changes @@ -1,23 +1,49 @@ +------------------------------------------------------------------- +Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik + +- Switch to pyproject macros. + +------------------------------------------------------------------- +Thu Oct 17 06:30:14 UTC 2024 - Steve Kowalik + +- Add patch inject-default-ca-bundles.patch: + * Inject the default CA bundles if they are not specified. + (bsc#1226321, bsc#1231500) + +------------------------------------------------------------------- +Thu Aug 29 03:17:43 UTC 2024 - Steve Kowalik + +- Remove Requires on python-py, it should have been removed earlier. + +------------------------------------------------------------------- +Thu Jun 6 19:38:03 UTC 2024 - Dirk Müller + +- update to 2.32.3: + * Fixed bug breaking the ability to specify custom SSLContexts + in sub-classes of HTTPAdapter. + * Fixed issue where Requests started failing to run on Python + versions compiled without the `ssl` module. + ------------------------------------------------------------------- Wed May 22 14:00:50 UTC 2024 - Markéta Machová - Update to 2.32.2 - * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, - we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing - custom HTTPAdapters will need to migrate their code to use this new API. get_connection is + * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, + we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing + custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. ------------------------------------------------------------------- Tue May 21 12:33:41 UTC 2024 - Markéta Machová - Update to 2.32.1 - * Fixed an issue where setting verify=False on the first request from a Session - will cause subsequent requests to the same origin to also ignore cert verification, + * Fixed an issue where setting verify=False on the first request from a Session + will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (bsc#1224788, CVE-2024-35195) - * verify=True now reuses a global SSLContext which should improve request time + * verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. - * Requests now supports optional use of character detection (chardet or charset_normalizer) - when repackaged or vendored. This enables pip and other projects to minimize their + * Requests now supports optional use of character detection (chardet or charset_normalizer) + when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. * Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7. * Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. diff --git a/python-requests.spec b/python-requests.spec index 90d1061..bb041d6 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -26,14 +26,18 @@ %endif %{?sle15_python_module_pythons} Name: python-requests%{psuffix} -Version: 2.32.2 +Version: 2.32.3 Release: 0 Summary: Python HTTP Library License: Apache-2.0 URL: https://docs.python-requests.org/ Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz +# PATCH-FIX-UPSTREAM gh#psf/requests#6731 +Patch0: inject-default-ca-bundles.patch BuildRequires: %{python_module base >= 3.7} +BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module wheel} BuildRequires: fdupes BuildRequires: python-rpm-macros Requires: ca-certificates @@ -41,7 +45,6 @@ Requires: python Requires: python-certifi >= 2017.4.17 Requires: python-charset-normalizer >= 2.0.0 Requires: python-idna >= 2.5 -Requires: python-py Requires: python-urllib3 >= 1.21.1 BuildArch: noarch %if 0%{?_no_weakdeps} @@ -94,11 +97,11 @@ Features of Requests: sed -i "s#\(httpbin.*\), 'never'#\1#" tests/test_requests.py %build -%python_build +%pyproject_wheel %install %if !%{with test} -%python_install +%pyproject_install # check that urllib3 is not installed test ! -e %{buildroot}%{python3_sitelib}/requests/packages/urllib3 %python_expand %fdupes %{buildroot}%{$python_sitelib} @@ -118,8 +121,8 @@ touch Pipfile %files %{python_files} %license LICENSE %doc HISTORY.md README.md -%{python_sitelib}/requests/ -%{python_sitelib}/requests-* +%{python_sitelib}/requests +%{python_sitelib}/requests-%{version}.dist-info %endif %changelog diff --git a/requests-2.32.2.tar.gz b/requests-2.32.2.tar.gz deleted file mode 100644 index 47f4b74..0000000 --- a/requests-2.32.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 -size 130327 diff --git a/requests-2.32.3.tar.gz b/requests-2.32.3.tar.gz new file mode 100644 index 0000000..d2e0256 --- /dev/null +++ b/requests-2.32.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 +size 131218