Sync from SUSE:SLFO:1.1 python-urllib3 revision 081de79c835977e2fa7734a639b2ce30

CVE-2024-37891.patch

@@ -0,0 +1,154 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index f71e7acc9e..ac3ce4ca73 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None:
+     def test_retry_default_remove_headers_on_redirect(self) -> None:
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
++        assert retry.remove_headers_on_redirect == {
++            "authorization",
++            "proxy-authorization",
++            "cookie",
++        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self) -> None:
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index 4fa9ec850a..af77241d6c 100644
+--- a/test/with_dummyserver/test_poolmanager.py
++++ b/test/with_dummyserver/test_poolmanager.py
+@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
++                headers={
++                    "Authorization": "foo",
++                    "Proxy-Authorization": "bar",
++                    "Cookie": "foo=bar",
++                },
+             )
+ 
+             assert r.status == 200
+@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+             data = r.json()
+ 
+             assert "Authorization" not in data
++            assert "Proxy-Authorization" not in data
+             assert "Cookie" not in data
+ 
+             r = http.request(
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"authorization": "foo", "cookie": "foo=bar"},
++                headers={
++                    "authorization": "foo",
++                    "proxy-authorization": "baz",
++                    "cookie": "foo=bar",
++                },
+             )
+ 
+             assert r.status == 200
+@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+ 
+             assert "authorization" not in data
+             assert "Authorization" not in data
++            assert "proxy-authorization" not in data
++            assert "Proxy-Authorization" not in data
+             assert "cookie" not in data
+             assert "Cookie" not in data
+ 
+@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
++                headers={
++                    "Authorization": "foo",
++                    "Proxy-Authorization": "bar",
++                    "Cookie": "foo=bar",
++                },
+                 retries=Retry(remove_headers_on_redirect=[]),
+             )
+ 
+@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
+             data = r.json()
+ 
+             assert data["Authorization"] == "foo"
++            assert data["Proxy-Authorization"] == "bar"
+             assert data["Cookie"] == "foo=bar"
+ 
+     def test_redirect_cross_host_set_removed_headers(self) -> None:
+@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+                 headers={
+                     "X-API-Secret": "foo",
+                     "Authorization": "bar",
++                    "Proxy-Authorization": "baz",
+                     "Cookie": "foo=bar",
+                 },
+                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
+@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+ 
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
++            assert data["Proxy-Authorization"] == "baz"
+             assert data["Cookie"] == "foo=bar"
+ 
+             headers = {
+                 "x-api-secret": "foo",
+                 "authorization": "bar",
++                "proxy-authorization": "baz",
+                 "cookie": "foo=bar",
+             }
+             r = http.request(
+@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+             assert "x-api-secret" not in data
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
++            assert data["Proxy-Authorization"] == "baz"
+             assert data["Cookie"] == "foo=bar"
+ 
+             # Ensure the header argument itself is not modified in-place.
+             assert headers == {
+                 "x-api-secret": "foo",
+                 "authorization": "bar",
++                "proxy-authorization": "baz",
+                 "cookie": "foo=bar",
+             }
+ 

openssl-3.2.patch

@@ -0,0 +1,32 @@
+Index: urllib3-2.1.0/changelog/3268.bugfix.rst
+===================================================================
+--- /dev/null
++++ urllib3-2.1.0/changelog/3268.bugfix.rst
+@@ -0,0 +1 @@
++Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS.
+Index: urllib3-2.1.0/src/urllib3/connection.py
+===================================================================
+--- urllib3-2.1.0.orig/src/urllib3/connection.py
++++ urllib3-2.1.0/src/urllib3/connection.py
+@@ -864,6 +864,7 @@ def _wrap_proxy_error(err: Exception, pr
+     is_likely_http_proxy = (
+         "wrong version number" in error_normalized
+         or "unknown protocol" in error_normalized
++        or "record layer failure" in error_normalized
+     )
+     http_proxy_warning = (
+         ". Your proxy appears to only use HTTP and not HTTPS, "
+Index: urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
+===================================================================
+--- urllib3-2.1.0.orig/test/with_dummyserver/test_socketlevel.py
++++ urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
+@@ -1297,7 +1297,8 @@ class TestSSL(SocketDummyServerTestCase)
+         self._start_server(socket_handler)
+         with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
+             with pytest.raises(
+-                SSLError, match=r"(wrong version number|record overflow)"
++                SSLError,
++                match=r"(wrong version number|record overflow|record layer failure)",
+             ):
+                 pool.request("GET", "/", retries=False)
+ 

python-urllib3.changes

@@ -1,59 +1,3 @@
--------------------------------------------------------------------
-Thu Oct  3 05:10:09 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
-
-- Update to 2.2.3:
-  * Features
-    + Added support for Python 3.13.
-  * Bugfixes
-    + Fixed the default encoding of chunked request bodies to be UTF-8
-      instead of ISO-8859-1. All other methods of supplying a request body
-      already use UTF-8 starting in urllib3 v2.0.
-    + Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting
-      python/cpython#103472.
-    + Fixed a crash where certain standard library hash functions were absent
-      in restricted environments.
-    + Added the Proxy-Authorization header to the list of headers to strip
-      from requests when redirecting to a different host. As before,
-      different headers can be set via Retry.remove_headers_on_redirect.
-    + Allowed passing negative integers as amt to read methods of
-      http.client.HTTPResponse as an alternative to None.
-    + Fixed issue where InsecureRequestWarning was emitted for HTTPS
-      connections when using Emscripten.
-    + Fixed HTTPConnectionPool.urlopen to stop automatically casting
-      non-proxy headers to HTTPHeaderDict. This change was premature as it
-      did not apply to proxy headers and HTTPHeaderDict does not handle byte
-      header values correctly yet.
-    + Changed InvalidChunkLength to ProtocolError when response terminates
-      before the chunk length is sent.
-    + Changed ProtocolError to be more verbose on incomplete reads with
-      excess content.
-    + Added support for HTTPResponse.read1() method.
-    + Fixed issue where requests against urls with trailing dots were
-      failing due to SSL errors when using proxy.
-    + Fixed HTTPConnection.proxy_is_verified and
-      HTTPSConnection.proxy_is_verified to be always set to a boolean after
-      connecting to a proxy. It could be None in some cases previously.
-    + Fixed an issue where headers passed in a request with json= would be
-      mutated
-    + Fixed HTTPSConnection.is_verified to be set to False when connecting
-      from a HTTPS proxy to an HTTP target. It was set to True previously.
-    + Fixed handling of new error message from OpenSSL 3.2.0 when configuring
-      an HTTP proxy as HTTPS
-    + Fixed TLS 1.3 post-handshake auth when the server certificate
-      validation is disabled
-  * HTTP/2 (experimental)
-    + Excluded Transfer-Encoding: chunked from HTTP/2 request body
-    + Added a probing mechanism for determining whether a given target
-      origin supports HTTP/2 via ALPN.
-    + Add support for sending a request body with HTTP/2
-  * Removals
-    + Drop support for end-of-life PyPy3.8 and PyPy3.9.
-- Drop patches, they are now included upstream:
-  * CVE-2024-37891.patch
-  * openssl-3.2.patch
-- Included patched hypercorn, which is only unpacked and used for the test
-  suite.
-
 -------------------------------------------------------------------
 Tue Jun 18 09:46:57 UTC 2024 - Markéta Machová <mmachova@suse.com>
 

python-urllib3.spec

@@ -18,8 +18,6 @@
 
 %global flavor @BUILD_FLAVOR@%{nil}
 %if "%{flavor}" == "test"
-# No Quart for Python 3.10
-%define skip_python310 1
 %define psuffix -test
 %bcond_without test
 %else
@@ -28,45 +26,42 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-urllib3%{psuffix}
-Version:        2.2.3
+Version:        2.1.0
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
 URL:            https://urllib3.readthedocs.org/
 Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
-# https://github.com/urllib3/urllib3/issues/3334
+# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#urllib3/urllib3#3271
-%define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
+Patch1:         openssl-3.2.patch
-Source1:        https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
+# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Strip Proxy-Authorization header on redirects
-BuildRequires:  %{python_module base >= 3.8}
+Patch2:         CVE-2024-37891.patch
-BuildRequires:  %{python_module hatch-vcs}
+BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 #!BuildIgnore:  python-requests
 Requires:       ca-certificates-mozilla
+Requires:       python-certifi
+Requires:       python-cryptography >= 1.9
+Requires:       python-idna >= 3.4
+Requires:       python-pyOpenSSL >= 23.2.0
 Recommends:     python-Brotli >= 1.0.9
 Recommends:     python-PySocks >= 1.7.1
-Recommends:     python-h2 >= 4
-Recommends:     python-zstandard >= 0.18
 BuildArch:      noarch
 %if %{with test}
 BuildRequires:  %{python_module Brotli >= 1.0.9}
 BuildRequires:  %{python_module PySocks >= 1.7.1}
-BuildRequires:  %{python_module Quart >= 0.19}
+BuildRequires:  %{python_module certifi}
-BuildRequires:  %{python_module cryptography >= 43}
+BuildRequires:  %{python_module cryptography >= 1.9}
 BuildRequires:  %{python_module flaky}
-BuildRequires:  %{python_module h2 >= 4.1}
+BuildRequires:  %{python_module idna >= 3.4}
-BuildRequires:  %{python_module httpx >= 0.25}
-BuildRequires:  %{python_module idna >= 3.7}
 BuildRequires:  %{python_module psutil}
-BuildRequires:  %{python_module pyOpenSSL >= 24.2}
 BuildRequires:  %{python_module pytest >= 7.4.0}
-BuildRequires:  %{python_module pytest-socket >= 0.7}
 BuildRequires:  %{python_module pytest-timeout >= 2.1.0}
 BuildRequires:  %{python_module pytest-xdist}
-BuildRequires:  %{python_module quart-trio >= 0.11}
+BuildRequires:  %{python_module tornado >= 6.2}
-BuildRequires:  %{python_module trio >= 0.26}
 BuildRequires:  %{python_module trustme >= 0.9.0}
 BuildRequires:  %{python_module urllib3 >= %{version}}
 BuildRequires:  timezone
@@ -93,11 +88,6 @@ Highlights
 
 %prep
 %autosetup -p1 -n urllib3-%{version}
-# https://github.com/urllib3/urllib3/issues/3334
-%if %{with test}
-mkdir ../patched-hypercorn
-tar -C ../patched-hypercorn -zxf %{SOURCE1}
-%endif
 
 find . -type f -exec chmod a-x '{}' \;
 find . -name __pycache__ -type d -exec rm -fr {} +
@@ -114,8 +104,6 @@ find . -name __pycache__ -type d -exec rm -fr {} +
 
 %if %{with test}
 %check
-# https://github.com/urllib3/urllib3/issues/3334
-export PYTHONPATH="$PWD/../patched-hypercorn/hypercorn-%{hypercorn_commit}/src"
 # gh#urllib3/urllib3#2109
 export CI="true"
 # skip some randomly failing tests (mostly on i586, but sometimes they fail on other architectures)
@@ -128,8 +116,6 @@ skiplist+=" or test_recent_date"
 skiplist+=" or test_requesting_large_resources_via_ssl"
 # Try to access external evil.com
 skiplist+=" or test_deprecated_no_scheme"
-# weird threading issues on OBS runners
-skiplist+=" or test_http2_probe_blocked_per_thread"
 %pytest %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
 %endif
 
@@ -138,7 +124,7 @@ skiplist+=" or test_http2_probe_blocked_per_thread"
 %license LICENSE.txt
 %doc CHANGES.rst README.md
 %{python_sitelib}/urllib3
-%{python_sitelib}/urllib3-%{version}.dist-info
+%{python_sitelib}/urllib3-%{version}*-info
 %endif
 
 %changelog