Sync from SUSE:SLFO:Main python-urllib3 revision 081de79c835977e2fa7734a639b2ce30

2024-08-30 15:33:27 +02:00 · 2024-08-30 15:33:27 +02:00 · d1fad4d390
commit d1fad4d390
parent 03d9200b8b
3 changed files with 162 additions and 1 deletions
--- a/CVE-2024-37891.patch
+++ b/CVE-2024-37891.patch
@ -0,0 +1,154 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index f71e7acc9e..ac3ce4ca73 100644
+--- a/test/test_retry.py
+++ b/test/test_retry.py
+@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None:
+     def test_retry_default_remove_headers_on_redirect(self) -> None:
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self) -> None:
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index 4fa9ec850a..af77241d6c 100644
+--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
+@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
+                headers={
+                    "Authorization": "foo",
+                    "Proxy-Authorization": "bar",
+                    "Cookie": "foo=bar",
+                },
+             )
+ 
+             assert r.status == 200
+@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+             data = r.json()
+ 
+             assert "Authorization" not in data
+            assert "Proxy-Authorization" not in data
+             assert "Cookie" not in data
+ 
+             r = http.request(
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"authorization": "foo", "cookie": "foo=bar"},
+                headers={
+                    "authorization": "foo",
+                    "proxy-authorization": "baz",
+                    "cookie": "foo=bar",
+                },
+             )
+ 
+             assert r.status == 200
+@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+ 
+             assert "authorization" not in data
+             assert "Authorization" not in data
+            assert "proxy-authorization" not in data
+            assert "Proxy-Authorization" not in data
+             assert "cookie" not in data
+             assert "Cookie" not in data
+ 
+@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
+                headers={
+                    "Authorization": "foo",
+                    "Proxy-Authorization": "bar",
+                    "Cookie": "foo=bar",
+                },
+                 retries=Retry(remove_headers_on_redirect=[]),
+             )
+ 
+@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
+             data = r.json()
+ 
+             assert data["Authorization"] == "foo"
+            assert data["Proxy-Authorization"] == "bar"
+             assert data["Cookie"] == "foo=bar"
+ 
+     def test_redirect_cross_host_set_removed_headers(self) -> None:
+@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+                 headers={
+                     "X-API-Secret": "foo",
+                     "Authorization": "bar",
+                    "Proxy-Authorization": "baz",
+                     "Cookie": "foo=bar",
+                 },
+                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
+@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+ 
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
+            assert data["Proxy-Authorization"] == "baz"
+             assert data["Cookie"] == "foo=bar"
+ 
+             headers = {
+                 "x-api-secret": "foo",
+                 "authorization": "bar",
+                "proxy-authorization": "baz",
+                 "cookie": "foo=bar",
+             }
+             r = http.request(
+@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+             assert "x-api-secret" not in data
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
+            assert data["Proxy-Authorization"] == "baz"
+             assert data["Cookie"] == "foo=bar"
+ 
+             # Ensure the header argument itself is not modified in-place.
+             assert headers == {
+                 "x-api-secret": "foo",
+                 "authorization": "bar",
+                "proxy-authorization": "baz",
+                 "cookie": "foo=bar",
+             }
+ 
--- a/python-urllib3.changes
+++ b/python-urllib3.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Jun 18 09:46:57 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Add CVE-2024-37891.patch (bsc#1226469)
+
 -------------------------------------------------------------------
 Thu Jan 11 11:46:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>

--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@ -1,5 +1,5 @@
 #
-# spec file
+# spec file for package python-urllib3
 #
 # Copyright (c) 2024 SUSE LLC
 #
@ -34,6 +34,8 @@ URL:            https://urllib3.readthedocs.org/
 Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
 # PATCH-FIX-OPENSUSE openssl-3.2.patch gh#urllib3/urllib3#3271
 Patch1:         openssl-3.2.patch
+# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Strip Proxy-Authorization header on redirects
+Patch2:         CVE-2024-37891.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}