diff --git a/CVE-2024-37891.patch b/CVE-2024-37891.patch deleted file mode 100644 index a23ce26..0000000 --- a/CVE-2024-37891.patch +++ /dev/null @@ -1,154 +0,0 @@ -From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 -From: Quentin Pradet -Date: Mon, 17 Jun 2024 11:09:06 +0400 -Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf - -* Strip Proxy-Authorization header on redirects - -* Fix test_retry_default_remove_headers_on_redirect - -* Set release date ---- - CHANGES.rst | 5 +++++ - src/urllib3/util/retry.py | 4 +++- - test/test_retry.py | 6 ++++- - test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++--- - 4 files changed, 37 insertions(+), 5 deletions(-) - - -diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py -index 7a76a4a6ad..0456cceba4 100644 ---- a/src/urllib3/util/retry.py -+++ b/src/urllib3/util/retry.py -@@ -189,7 +189,9 @@ class Retry: - RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) - - #: Default headers to be used for ``remove_headers_on_redirect`` -- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) -+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( -+ ["Cookie", "Authorization", "Proxy-Authorization"] -+ ) - - #: Default maximum backoff time. - DEFAULT_BACKOFF_MAX = 120 -diff --git a/test/test_retry.py b/test/test_retry.py -index f71e7acc9e..ac3ce4ca73 100644 ---- a/test/test_retry.py -+++ b/test/test_retry.py -@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None: - def test_retry_default_remove_headers_on_redirect(self) -> None: - retry = Retry() - -- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} -+ assert retry.remove_headers_on_redirect == { -+ "authorization", -+ "proxy-authorization", -+ "cookie", -+ } - - def test_retry_set_remove_headers_on_redirect(self) -> None: - retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) -diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py -index 4fa9ec850a..af77241d6c 100644 ---- a/test/with_dummyserver/test_poolmanager.py -+++ b/test/with_dummyserver/test_poolmanager.py -@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None: - "GET", - f"{self.base_url}/redirect", - fields={"target": f"{self.base_url_alt}/headers"}, -- headers={"Authorization": "foo", "Cookie": "foo=bar"}, -+ headers={ -+ "Authorization": "foo", -+ "Proxy-Authorization": "bar", -+ "Cookie": "foo=bar", -+ }, - ) - - assert r.status == 200 -@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None: - data = r.json() - - assert "Authorization" not in data -+ assert "Proxy-Authorization" not in data - assert "Cookie" not in data - - r = http.request( - "GET", - f"{self.base_url}/redirect", - fields={"target": f"{self.base_url_alt}/headers"}, -- headers={"authorization": "foo", "cookie": "foo=bar"}, -+ headers={ -+ "authorization": "foo", -+ "proxy-authorization": "baz", -+ "cookie": "foo=bar", -+ }, - ) - - assert r.status == 200 -@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None: - - assert "authorization" not in data - assert "Authorization" not in data -+ assert "proxy-authorization" not in data -+ assert "Proxy-Authorization" not in data - assert "cookie" not in data - assert "Cookie" not in data - -@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None: - "GET", - f"{self.base_url}/redirect", - fields={"target": f"{self.base_url_alt}/headers"}, -- headers={"Authorization": "foo", "Cookie": "foo=bar"}, -+ headers={ -+ "Authorization": "foo", -+ "Proxy-Authorization": "bar", -+ "Cookie": "foo=bar", -+ }, - retries=Retry(remove_headers_on_redirect=[]), - ) - -@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None: - data = r.json() - - assert data["Authorization"] == "foo" -+ assert data["Proxy-Authorization"] == "bar" - assert data["Cookie"] == "foo=bar" - - def test_redirect_cross_host_set_removed_headers(self) -> None: -@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None: - headers={ - "X-API-Secret": "foo", - "Authorization": "bar", -+ "Proxy-Authorization": "baz", - "Cookie": "foo=bar", - }, - retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), -@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None: - - assert "X-API-Secret" not in data - assert data["Authorization"] == "bar" -+ assert data["Proxy-Authorization"] == "baz" - assert data["Cookie"] == "foo=bar" - - headers = { - "x-api-secret": "foo", - "authorization": "bar", -+ "proxy-authorization": "baz", - "cookie": "foo=bar", - } - r = http.request( -@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None: - assert "x-api-secret" not in data - assert "X-API-Secret" not in data - assert data["Authorization"] == "bar" -+ assert data["Proxy-Authorization"] == "baz" - assert data["Cookie"] == "foo=bar" - - # Ensure the header argument itself is not modified in-place. - assert headers == { - "x-api-secret": "foo", - "authorization": "bar", -+ "proxy-authorization": "baz", - "cookie": "foo=bar", - } - diff --git a/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz b/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz new file mode 100644 index 0000000..fa54950 --- /dev/null +++ b/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c5a9da30a8060bc2b57cf3ed95520e08a53a0f4d8f63985ea44c176712d16da +size 156216 diff --git a/openssl-3.2.patch b/openssl-3.2.patch deleted file mode 100644 index 689c04b..0000000 --- a/openssl-3.2.patch +++ /dev/null @@ -1,32 +0,0 @@ -Index: urllib3-2.1.0/changelog/3268.bugfix.rst -=================================================================== ---- /dev/null -+++ urllib3-2.1.0/changelog/3268.bugfix.rst -@@ -0,0 +1 @@ -+Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. -Index: urllib3-2.1.0/src/urllib3/connection.py -=================================================================== ---- urllib3-2.1.0.orig/src/urllib3/connection.py -+++ urllib3-2.1.0/src/urllib3/connection.py -@@ -864,6 +864,7 @@ def _wrap_proxy_error(err: Exception, pr - is_likely_http_proxy = ( - "wrong version number" in error_normalized - or "unknown protocol" in error_normalized -+ or "record layer failure" in error_normalized - ) - http_proxy_warning = ( - ". Your proxy appears to only use HTTP and not HTTPS, " -Index: urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py -=================================================================== ---- urllib3-2.1.0.orig/test/with_dummyserver/test_socketlevel.py -+++ urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py -@@ -1297,7 +1297,8 @@ class TestSSL(SocketDummyServerTestCase) - self._start_server(socket_handler) - with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool: - with pytest.raises( -- SSLError, match=r"(wrong version number|record overflow)" -+ SSLError, -+ match=r"(wrong version number|record overflow|record layer failure)", - ): - pool.request("GET", "/", retries=False) - diff --git a/python-urllib3.changes b/python-urllib3.changes index 765d224..67f7545 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,59 @@ +------------------------------------------------------------------- +Thu Oct 3 05:10:09 UTC 2024 - Steve Kowalik + +- Update to 2.2.3: + * Features + + Added support for Python 3.13. + * Bugfixes + + Fixed the default encoding of chunked request bodies to be UTF-8 + instead of ISO-8859-1. All other methods of supplying a request body + already use UTF-8 starting in urllib3 v2.0. + + Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting + python/cpython#103472. + + Fixed a crash where certain standard library hash functions were absent + in restricted environments. + + Added the Proxy-Authorization header to the list of headers to strip + from requests when redirecting to a different host. As before, + different headers can be set via Retry.remove_headers_on_redirect. + + Allowed passing negative integers as amt to read methods of + http.client.HTTPResponse as an alternative to None. + + Fixed issue where InsecureRequestWarning was emitted for HTTPS + connections when using Emscripten. + + Fixed HTTPConnectionPool.urlopen to stop automatically casting + non-proxy headers to HTTPHeaderDict. This change was premature as it + did not apply to proxy headers and HTTPHeaderDict does not handle byte + header values correctly yet. + + Changed InvalidChunkLength to ProtocolError when response terminates + before the chunk length is sent. + + Changed ProtocolError to be more verbose on incomplete reads with + excess content. + + Added support for HTTPResponse.read1() method. + + Fixed issue where requests against urls with trailing dots were + failing due to SSL errors when using proxy. + + Fixed HTTPConnection.proxy_is_verified and + HTTPSConnection.proxy_is_verified to be always set to a boolean after + connecting to a proxy. It could be None in some cases previously. + + Fixed an issue where headers passed in a request with json= would be + mutated + + Fixed HTTPSConnection.is_verified to be set to False when connecting + from a HTTPS proxy to an HTTP target. It was set to True previously. + + Fixed handling of new error message from OpenSSL 3.2.0 when configuring + an HTTP proxy as HTTPS + + Fixed TLS 1.3 post-handshake auth when the server certificate + validation is disabled + * HTTP/2 (experimental) + + Excluded Transfer-Encoding: chunked from HTTP/2 request body + + Added a probing mechanism for determining whether a given target + origin supports HTTP/2 via ALPN. + + Add support for sending a request body with HTTP/2 + * Removals + + Drop support for end-of-life PyPy3.8 and PyPy3.9. +- Drop patches, they are now included upstream: + * CVE-2024-37891.patch + * openssl-3.2.patch +- Included patched hypercorn, which is only unpacked and used for the test + suite. + ------------------------------------------------------------------- Tue Jun 18 09:46:57 UTC 2024 - Markéta Machová diff --git a/python-urllib3.spec b/python-urllib3.spec index 01b9cb5..229aa23 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -18,6 +18,8 @@ %global flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "test" +# No Quart for Python 3.10 +%define skip_python310 1 %define psuffix -test %bcond_without test %else @@ -26,42 +28,45 @@ %endif %{?sle15_python_module_pythons} Name: python-urllib3%{psuffix} -Version: 2.1.0 +Version: 2.2.3 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT URL: https://urllib3.readthedocs.org/ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz -# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#urllib3/urllib3#3271 -Patch1: openssl-3.2.patch -# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Strip Proxy-Authorization header on redirects -Patch2: CVE-2024-37891.patch -BuildRequires: %{python_module base >= 3.7} +# https://github.com/urllib3/urllib3/issues/3334 +%define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb +Source1: https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz +BuildRequires: %{python_module base >= 3.8} +BuildRequires: %{python_module hatch-vcs} BuildRequires: %{python_module hatchling} BuildRequires: %{python_module pip} BuildRequires: fdupes BuildRequires: python-rpm-macros #!BuildIgnore: python-requests Requires: ca-certificates-mozilla -Requires: python-certifi -Requires: python-cryptography >= 1.9 -Requires: python-idna >= 3.4 -Requires: python-pyOpenSSL >= 23.2.0 Recommends: python-Brotli >= 1.0.9 Recommends: python-PySocks >= 1.7.1 +Recommends: python-h2 >= 4 +Recommends: python-zstandard >= 0.18 BuildArch: noarch %if %{with test} BuildRequires: %{python_module Brotli >= 1.0.9} BuildRequires: %{python_module PySocks >= 1.7.1} -BuildRequires: %{python_module certifi} -BuildRequires: %{python_module cryptography >= 1.9} +BuildRequires: %{python_module Quart >= 0.19} +BuildRequires: %{python_module cryptography >= 43} BuildRequires: %{python_module flaky} -BuildRequires: %{python_module idna >= 3.4} +BuildRequires: %{python_module h2 >= 4.1} +BuildRequires: %{python_module httpx >= 0.25} +BuildRequires: %{python_module idna >= 3.7} BuildRequires: %{python_module psutil} +BuildRequires: %{python_module pyOpenSSL >= 24.2} BuildRequires: %{python_module pytest >= 7.4.0} +BuildRequires: %{python_module pytest-socket >= 0.7} BuildRequires: %{python_module pytest-timeout >= 2.1.0} BuildRequires: %{python_module pytest-xdist} -BuildRequires: %{python_module tornado >= 6.2} +BuildRequires: %{python_module quart-trio >= 0.11} +BuildRequires: %{python_module trio >= 0.26} BuildRequires: %{python_module trustme >= 0.9.0} BuildRequires: %{python_module urllib3 >= %{version}} BuildRequires: timezone @@ -88,6 +93,11 @@ Highlights %prep %autosetup -p1 -n urllib3-%{version} +# https://github.com/urllib3/urllib3/issues/3334 +%if %{with test} +mkdir ../patched-hypercorn +tar -C ../patched-hypercorn -zxf %{SOURCE1} +%endif find . -type f -exec chmod a-x '{}' \; find . -name __pycache__ -type d -exec rm -fr {} + @@ -104,6 +114,8 @@ find . -name __pycache__ -type d -exec rm -fr {} + %if %{with test} %check +# https://github.com/urllib3/urllib3/issues/3334 +export PYTHONPATH="$PWD/../patched-hypercorn/hypercorn-%{hypercorn_commit}/src" # gh#urllib3/urllib3#2109 export CI="true" # skip some randomly failing tests (mostly on i586, but sometimes they fail on other architectures) @@ -116,6 +128,8 @@ skiplist+=" or test_recent_date" skiplist+=" or test_requesting_large_resources_via_ssl" # Try to access external evil.com skiplist+=" or test_deprecated_no_scheme" +# weird threading issues on OBS runners +skiplist+=" or test_http2_probe_blocked_per_thread" %pytest %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py %endif @@ -124,7 +138,7 @@ skiplist+=" or test_deprecated_no_scheme" %license LICENSE.txt %doc CHANGES.rst README.md %{python_sitelib}/urllib3 -%{python_sitelib}/urllib3-%{version}*-info +%{python_sitelib}/urllib3-%{version}.dist-info %endif %changelog diff --git a/urllib3-2.1.0.tar.gz b/urllib3-2.1.0.tar.gz deleted file mode 100644 index 4097c32..0000000 --- a/urllib3-2.1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:df7aa8afb0148fa78488e7899b2c59b5f4ffcfa82e6c54ccb9dd37c1d7b52d54 -size 263900 diff --git a/urllib3-2.2.3.tar.gz b/urllib3-2.2.3.tar.gz new file mode 100644 index 0000000..f9b3fb0 --- /dev/null +++ b/urllib3-2.2.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9 +size 300677