- Skip some flaky tests that fail sometimes in OBS (bsc#1234681)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=185

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

CVE-2024-37891.patch

@@ -0,0 +1,154 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index f71e7acc9e..ac3ce4ca73 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None:
+     def test_retry_default_remove_headers_on_redirect(self) -> None:
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
++        assert retry.remove_headers_on_redirect == {
++            "authorization",
++            "proxy-authorization",
++            "cookie",
++        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self) -> None:
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index 4fa9ec850a..af77241d6c 100644
+--- a/test/with_dummyserver/test_poolmanager.py
++++ b/test/with_dummyserver/test_poolmanager.py
+@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
++                headers={
++                    "Authorization": "foo",
++                    "Proxy-Authorization": "bar",
++                    "Cookie": "foo=bar",
++                },
+             )
+ 
+             assert r.status == 200
+@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+             data = r.json()
+ 
+             assert "Authorization" not in data
++            assert "Proxy-Authorization" not in data
+             assert "Cookie" not in data
+ 
+             r = http.request(
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"authorization": "foo", "cookie": "foo=bar"},
++                headers={
++                    "authorization": "foo",
++                    "proxy-authorization": "baz",
++                    "cookie": "foo=bar",
++                },
+             )
+ 
+             assert r.status == 200
+@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None:
+ 
+             assert "authorization" not in data
+             assert "Authorization" not in data
++            assert "proxy-authorization" not in data
++            assert "Proxy-Authorization" not in data
+             assert "cookie" not in data
+             assert "Cookie" not in data
+ 
+@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
+                 "GET",
+                 f"{self.base_url}/redirect",
+                 fields={"target": f"{self.base_url_alt}/headers"},
+-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
++                headers={
++                    "Authorization": "foo",
++                    "Proxy-Authorization": "bar",
++                    "Cookie": "foo=bar",
++                },
+                 retries=Retry(remove_headers_on_redirect=[]),
+             )
+ 
+@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
+             data = r.json()
+ 
+             assert data["Authorization"] == "foo"
++            assert data["Proxy-Authorization"] == "bar"
+             assert data["Cookie"] == "foo=bar"
+ 
+     def test_redirect_cross_host_set_removed_headers(self) -> None:
+@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+                 headers={
+                     "X-API-Secret": "foo",
+                     "Authorization": "bar",
++                    "Proxy-Authorization": "baz",
+                     "Cookie": "foo=bar",
+                 },
+                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
+@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+ 
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
++            assert data["Proxy-Authorization"] == "baz"
+             assert data["Cookie"] == "foo=bar"
+ 
+             headers = {
+                 "x-api-secret": "foo",
+                 "authorization": "bar",
++                "proxy-authorization": "baz",
+                 "cookie": "foo=bar",
+             }
+             r = http.request(
+@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
+             assert "x-api-secret" not in data
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
++            assert data["Proxy-Authorization"] == "baz"
+             assert data["Cookie"] == "foo=bar"
+ 
+             # Ensure the header argument itself is not modified in-place.
+             assert headers == {
+                 "x-api-secret": "foo",
+                 "authorization": "bar",
++                "proxy-authorization": "baz",
+                 "cookie": "foo=bar",
+             }
+ 

_multibuild

@@ -0,0 +1,3 @@
+<multibuild>
+  <package>test</package>
+</multibuild>

openssl-3.2.patch

@@ -0,0 +1,32 @@
+Index: urllib3-2.1.0/changelog/3268.bugfix.rst
+===================================================================
+--- /dev/null
++++ urllib3-2.1.0/changelog/3268.bugfix.rst
+@@ -0,0 +1 @@
++Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS.
+Index: urllib3-2.1.0/src/urllib3/connection.py
+===================================================================
+--- urllib3-2.1.0.orig/src/urllib3/connection.py
++++ urllib3-2.1.0/src/urllib3/connection.py
+@@ -864,6 +864,7 @@ def _wrap_proxy_error(err: Exception, pr
+     is_likely_http_proxy = (
+         "wrong version number" in error_normalized
+         or "unknown protocol" in error_normalized
++        or "record layer failure" in error_normalized
+     )
+     http_proxy_warning = (
+         ". Your proxy appears to only use HTTP and not HTTPS, "
+Index: urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
+===================================================================
+--- urllib3-2.1.0.orig/test/with_dummyserver/test_socketlevel.py
++++ urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
+@@ -1297,7 +1297,8 @@ class TestSSL(SocketDummyServerTestCase)
+         self._start_server(socket_handler)
+         with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
+             with pytest.raises(
+-                SSLError, match=r"(wrong version number|record overflow)"
++                SSLError,
++                match=r"(wrong version number|record overflow|record layer failure)",
+             ):
+                 pool.request("GET", "/", retries=False)
+ 

python-urllib3.spec

@@ -0,0 +1,147 @@
+#
+# spec file for package python-urllib3
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global flavor @BUILD_FLAVOR@%{nil}
+%if "%{flavor}" == "test"
+# No Quart for Python 3.10
+%define skip_python310 1
+%define psuffix -test
+%bcond_without test
+%else
+%define psuffix %{nil}
+%bcond_with test
+%endif
+%{?sle15_python_module_pythons}
+Name:           python-urllib3%{psuffix}
+Version:        2.2.3
+Release:        0
+Summary:        HTTP library with thread-safe connection pooling, file post, and more
+License:        MIT
+URL:            https://urllib3.readthedocs.org/
+Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
+# https://github.com/urllib3/urllib3/issues/3334
+%define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
+Source1:        https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
+BuildRequires:  %{python_module base >= 3.8}
+BuildRequires:  %{python_module hatch-vcs}
+BuildRequires:  %{python_module hatchling}
+BuildRequires:  %{python_module pip}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+#!BuildIgnore:  python-requests
+Requires:       ca-certificates-mozilla
+Recommends:     python-Brotli >= 1.0.9
+Recommends:     python-PySocks >= 1.7.1
+Recommends:     python-h2 >= 4
+Recommends:     python-zstandard >= 0.18
+BuildArch:      noarch
+%if %{with test}
+BuildRequires:  %{python_module Brotli >= 1.0.9}
+BuildRequires:  %{python_module PySocks >= 1.7.1}
+BuildRequires:  %{python_module Quart >= 0.19}
+BuildRequires:  %{python_module cryptography >= 43}
+BuildRequires:  %{python_module flaky}
+BuildRequires:  %{python_module h2 >= 4.1}
+BuildRequires:  %{python_module httpx >= 0.25}
+BuildRequires:  %{python_module idna >= 3.7}
+BuildRequires:  %{python_module psutil}
+BuildRequires:  %{python_module pyOpenSSL >= 24.2}
+BuildRequires:  %{python_module pytest >= 7.4.0}
+BuildRequires:  %{python_module pytest-socket >= 0.7}
+BuildRequires:  %{python_module pytest-timeout >= 2.1.0}
+BuildRequires:  %{python_module pytest-xdist}
+BuildRequires:  %{python_module quart-trio >= 0.11}
+BuildRequires:  %{python_module trio >= 0.26}
+BuildRequires:  %{python_module trustme >= 0.9.0}
+BuildRequires:  %{python_module urllib3 >= %{version}}
+BuildRequires:  timezone
+%else
+Conflicts:      python-urllib3 < 2
+%endif
+%python_subpackages
+
+%description
+Highlights
+
+- Re-use the same socket connection for multiple requests
+  (HTTPConnectionPool and HTTPSConnectionPool)
+  (with optional client-side certificate verification).
+- File posting (encode_multipart_formdata).
+- Built-in redirection and retries (optional).
+- Supports gzip and deflate decoding.
+- Thread-safe and sanity-safe.
+- Works with AppEngine, gevent, and eventlib.
+- Tested on Python 2.6+ and Python 3.3+, 100% unit test coverage.
+- Small and easy to understand codebase perfect for extending and building upon.
+  For a more comprehensive solution, have a look at
+  Requests which is also powered by urllib3.
+
+%prep
+%autosetup -p1 -n urllib3-%{version}
+# https://github.com/urllib3/urllib3/issues/3334
+%if %{with test}
+mkdir ../patched-hypercorn
+tar -C ../patched-hypercorn -zxf %{SOURCE1}
+%endif
+
+find . -type f -exec chmod a-x '{}' \;
+find . -name __pycache__ -type d -exec rm -fr {} +
+
+%build
+%pyproject_wheel
+
+%install
+%if !%{with test}
+%pyproject_install
+
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+%endif
+
+%if %{with test}
+%check
+# https://github.com/urllib3/urllib3/issues/3334
+export PYTHONPATH="$PWD/../patched-hypercorn/hypercorn-%{hypercorn_commit}/src"
+# gh#urllib3/urllib3#2109
+export CI="true"
+# skip some randomly failing tests (mostly on i586, but sometimes they fail on other architectures)
+skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or test_ssl_custom_validation_failure_terminates"
+# gh#urllib3/urllib3#1752 and others: upstream's way of checking that the build
+# system has a correct system time breaks (re-)building the package after too
+# many months have passed since the last release.
+skiplist+=" or test_recent_date"
+# too slow to run in obs (checks 2GiB of data)
+skiplist+=" or test_requesting_large_resources_via_ssl"
+# Try to access external evil.com
+skiplist+=" or test_deprecated_no_scheme"
+# weird threading issues on OBS runners
+skiplist+=" or test_http2_probe_blocked_per_thread"
+# flaky test, works locally but fails in OBS with
+# TypeError: _wrap_bio() argument 'incoming' must be _ssl.MemoryBIO, not _ssl.MemoryBIO
+skiplist+=" or test_https_proxy_forwarding_for_https or test_https_headers_forwarding_for_https"
+%pytest -W ignore::DeprecationWarning %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
+%endif
+
+%if ! %{with test}
+%files %{python_files}
+%license LICENSE.txt
+%doc CHANGES.rst README.md
+%{python_sitelib}/urllib3
+%{python_sitelib}/urllib3-%{version}.dist-info
+%endif
+
+%changelog