SLFO-pool/python-urllib3
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main python-urllib3 revision 9d0ae938c91d2c47a77ddca645614370

Browse Source
This commit is contained in:
Adrian Schröter 2024-12-13 12:34:27 +01:00
parent d1fad4d390
commit 202a095af6
7 changed files with 91 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
CVE-2024-37891.patch
View File

@ -1,154 +0,0 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
* Fix test_retry_default_remove_headers_on_redirect
* Set release date
---
CHANGES.rst | 5 +++++
src/urllib3/util/retry.py | 4 +++-
test/test_retry.py | 6 ++++-
test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
4 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 7a76a4a6ad..0456cceba4 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index f71e7acc9e..ac3ce4ca73 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None:
def test_retry_default_remove_headers_on_redirect(self) -> None:
retry = Retry()
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ assert retry.remove_headers_on_redirect == {
+ "authorization",
+ "proxy-authorization",
+ "cookie",
+ }
def test_retry_set_remove_headers_on_redirect(self) -> None:
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
index 4fa9ec850a..af77241d6c 100644
--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None:
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"Authorization": "foo", "Cookie": "foo=bar"},
+ headers={
+ "Authorization": "foo",
+ "Proxy-Authorization": "bar",
+ "Cookie": "foo=bar",
+ },
)
assert r.status == 200
@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None:
data = r.json()
assert "Authorization" not in data
+ assert "Proxy-Authorization" not in data
assert "Cookie" not in data
r = http.request(
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"authorization": "foo", "cookie": "foo=bar"},
+ headers={
+ "authorization": "foo",
+ "proxy-authorization": "baz",
+ "cookie": "foo=bar",
+ },
)
assert r.status == 200
@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None:
assert "authorization" not in data
assert "Authorization" not in data
+ assert "proxy-authorization" not in data
+ assert "Proxy-Authorization" not in data
assert "cookie" not in data
assert "Cookie" not in data
@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"Authorization": "foo", "Cookie": "foo=bar"},
+ headers={
+ "Authorization": "foo",
+ "Proxy-Authorization": "bar",
+ "Cookie": "foo=bar",
+ },
retries=Retry(remove_headers_on_redirect=[]),
)
@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
data = r.json()
assert data["Authorization"] == "foo"
+ assert data["Proxy-Authorization"] == "bar"
assert data["Cookie"] == "foo=bar"
def test_redirect_cross_host_set_removed_headers(self) -> None:
@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
headers={
"X-API-Secret": "foo",
"Authorization": "bar",
+ "Proxy-Authorization": "baz",
"Cookie": "foo=bar",
},
retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
assert "X-API-Secret" not in data
assert data["Authorization"] == "bar"
+ assert data["Proxy-Authorization"] == "baz"
assert data["Cookie"] == "foo=bar"
headers = {
"x-api-secret": "foo",
"authorization": "bar",
+ "proxy-authorization": "baz",
"cookie": "foo=bar",
}
r = http.request(
@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
assert "x-api-secret" not in data
assert "X-API-Secret" not in data
assert data["Authorization"] == "bar"
+ assert data["Proxy-Authorization"] == "baz"
assert data["Cookie"] == "foo=bar"
# Ensure the header argument itself is not modified in-place.
assert headers == {
"x-api-secret": "foo",
"authorization": "bar",
+ "proxy-authorization": "baz",
"cookie": "foo=bar",
}

BIN
hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

32
openssl-3.2.patch
View File

@ -1,32 +0,0 @@
Index: urllib3-2.1.0/changelog/3268.bugfix.rst
===================================================================
--- /dev/null
+++ urllib3-2.1.0/changelog/3268.bugfix.rst
@@ -0,0 +1 @@
+Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS.
Index: urllib3-2.1.0/src/urllib3/connection.py
===================================================================
--- urllib3-2.1.0.orig/src/urllib3/connection.py
+++ urllib3-2.1.0/src/urllib3/connection.py
@@ -864,6 +864,7 @@ def _wrap_proxy_error(err: Exception, pr
is_likely_http_proxy = (
"wrong version number" in error_normalized
or "unknown protocol" in error_normalized
+ or "record layer failure" in error_normalized
)
http_proxy_warning = (
". Your proxy appears to only use HTTP and not HTTPS, "
Index: urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
===================================================================
--- urllib3-2.1.0.orig/test/with_dummyserver/test_socketlevel.py
+++ urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
@@ -1297,7 +1297,8 @@ class TestSSL(SocketDummyServerTestCase)
self._start_server(socket_handler)
with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
with pytest.raises(
- SSLError, match=r"(wrong version number|record overflow)"
+ SSLError,
+ match=r"(wrong version number|record overflow|record layer failure)",
):
pool.request("GET", "/", retries=False)

56
python-urllib3.changes
View File

@ -1,3 +1,59 @@
-------------------------------------------------------------------
Thu Oct 3 05:10:09 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 2.2.3:
* Features
+ Added support for Python 3.13.
* Bugfixes
+ Fixed the default encoding of chunked request bodies to be UTF-8
instead of ISO-8859-1. All other methods of supplying a request body
already use UTF-8 starting in urllib3 v2.0.
+ Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting
python/cpython#103472.
+ Fixed a crash where certain standard library hash functions were absent
in restricted environments.
+ Added the Proxy-Authorization header to the list of headers to strip
from requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
+ Allowed passing negative integers as amt to read methods of
http.client.HTTPResponse as an alternative to None.
+ Fixed issue where InsecureRequestWarning was emitted for HTTPS
connections when using Emscripten.
+ Fixed HTTPConnectionPool.urlopen to stop automatically casting
non-proxy headers to HTTPHeaderDict. This change was premature as it
did not apply to proxy headers and HTTPHeaderDict does not handle byte
header values correctly yet.
+ Changed InvalidChunkLength to ProtocolError when response terminates
before the chunk length is sent.
+ Changed ProtocolError to be more verbose on incomplete reads with
excess content.
+ Added support for HTTPResponse.read1() method.
+ Fixed issue where requests against urls with trailing dots were
failing due to SSL errors when using proxy.
+ Fixed HTTPConnection.proxy_is_verified and
HTTPSConnection.proxy_is_verified to be always set to a boolean after
connecting to a proxy. It could be None in some cases previously.
+ Fixed an issue where headers passed in a request with json= would be
mutated
+ Fixed HTTPSConnection.is_verified to be set to False when connecting
from a HTTPS proxy to an HTTP target. It was set to True previously.
+ Fixed handling of new error message from OpenSSL 3.2.0 when configuring
an HTTP proxy as HTTPS
+ Fixed TLS 1.3 post-handshake auth when the server certificate
validation is disabled
* HTTP/2 (experimental)
+ Excluded Transfer-Encoding: chunked from HTTP/2 request body
+ Added a probing mechanism for determining whether a given target
origin supports HTTP/2 via ALPN.
+ Add support for sending a request body with HTTP/2
* Removals
+ Drop support for end-of-life PyPy3.8 and PyPy3.9.
- Drop patches, they are now included upstream:
* CVE-2024-37891.patch
* openssl-3.2.patch
- Included patched hypercorn, which is only unpacked and used for the test
suite.
-------------------------------------------------------------------
Tue Jun 18 09:46:57 UTC 2024 - Markéta Machová <mmachova@suse.com>

44
python-urllib3.spec
View File

@ -18,6 +18,8 @@
%global flavor @BUILD_FLAVOR@%{nil}
%if "%{flavor}" == "test"
# No Quart for Python 3.10
%define skip_python310 1
%define psuffix -test
%bcond_without test
%else
@ -26,42 +28,45 @@
%endif
%{?sle15_python_module_pythons}
Name: python-urllib3%{psuffix}
Version: 2.1.0
Version: 2.2.3
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post, and more
License: MIT
URL: https://urllib3.readthedocs.org/
Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#urllib3/urllib3#3271
Patch1: openssl-3.2.patch
# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Strip Proxy-Authorization header on redirects
Patch2: CVE-2024-37891.patch
BuildRequires: %{python_module base >= 3.7}
# https://github.com/urllib3/urllib3/issues/3334
%define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
Source1: https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
BuildRequires: %{python_module base >= 3.8}
BuildRequires: %{python_module hatch-vcs}
BuildRequires: %{python_module hatchling}
BuildRequires: %{python_module pip}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
#!BuildIgnore: python-requests
Requires: ca-certificates-mozilla
Requires: python-certifi
Requires: python-cryptography >= 1.9
Requires: python-idna >= 3.4
Requires: python-pyOpenSSL >= 23.2.0
Recommends: python-Brotli >= 1.0.9
Recommends: python-PySocks >= 1.7.1
Recommends: python-h2 >= 4
Recommends: python-zstandard >= 0.18
BuildArch: noarch
%if %{with test}
BuildRequires: %{python_module Brotli >= 1.0.9}
BuildRequires: %{python_module PySocks >= 1.7.1}
BuildRequires: %{python_module certifi}
BuildRequires: %{python_module cryptography >= 1.9}
BuildRequires: %{python_module Quart >= 0.19}
BuildRequires: %{python_module cryptography >= 43}
BuildRequires: %{python_module flaky}
BuildRequires: %{python_module idna >= 3.4}
BuildRequires: %{python_module h2 >= 4.1}
BuildRequires: %{python_module httpx >= 0.25}
BuildRequires: %{python_module idna >= 3.7}
BuildRequires: %{python_module psutil}
BuildRequires: %{python_module pyOpenSSL >= 24.2}
BuildRequires: %{python_module pytest >= 7.4.0}
BuildRequires: %{python_module pytest-socket >= 0.7}
BuildRequires: %{python_module pytest-timeout >= 2.1.0}
BuildRequires: %{python_module pytest-xdist}
BuildRequires: %{python_module tornado >= 6.2}
BuildRequires: %{python_module quart-trio >= 0.11}
BuildRequires: %{python_module trio >= 0.26}
BuildRequires: %{python_module trustme >= 0.9.0}
BuildRequires: %{python_module urllib3 >= %{version}}
BuildRequires: timezone
@ -88,6 +93,11 @@ Highlights
%prep
%autosetup -p1 -n urllib3-%{version}
# https://github.com/urllib3/urllib3/issues/3334
%if %{with test}
mkdir ../patched-hypercorn
tar -C ../patched-hypercorn -zxf %{SOURCE1}
%endif
find . -type f -exec chmod a-x '{}' \;
find . -name __pycache__ -type d -exec rm -fr {} +
@ -104,6 +114,8 @@ find . -name __pycache__ -type d -exec rm -fr {} +
%if %{with test}
%check
# https://github.com/urllib3/urllib3/issues/3334
export PYTHONPATH="$PWD/../patched-hypercorn/hypercorn-%{hypercorn_commit}/src"
# gh#urllib3/urllib3#2109
export CI="true"
# skip some randomly failing tests (mostly on i586, but sometimes they fail on other architectures)
@ -116,6 +128,8 @@ skiplist+=" or test_recent_date"
skiplist+=" or test_requesting_large_resources_via_ssl"
# Try to access external evil.com
skiplist+=" or test_deprecated_no_scheme"
# weird threading issues on OBS runners
skiplist+=" or test_http2_probe_blocked_per_thread"
%pytest %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
%endif
@ -124,7 +138,7 @@ skiplist+=" or test_deprecated_no_scheme"
%license LICENSE.txt
%doc CHANGES.rst README.md
%{python_sitelib}/urllib3
%{python_sitelib}/urllib3-%{version}*-info
%{python_sitelib}/urllib3-%{version}.dist-info
%endif
%changelog

BIN
urllib3-2.1.0.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

BIN
urllib3-2.2.3.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.