Accepting request 1284404 from devel:languages:python

- update to 2.32.4: * CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file * Numerous documentation improvements * Added support for pypy 3.11 for Linux and macOS. * Dropped support for pypy 3.9 following its end of support. - drop CVE-2024-47081.patch (merged upstream) - Switch to pyproject macros. - Remove Requires on python-py, it should have been removed earlier. OBS-URL: https://build.opensuse.org/request/show/1284404 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-requests?expand=0&rev=87
2025-06-11 14:20:27 +00:00
parent c36468b791 b3957d941a
commit 7f1a0ac2c7
5 changed files with 18 additions and 36 deletions
--- a/CVE-2024-47081.patch
+++ b/CVE-2024-47081.patch
@@ -1,28 +0,0 @@
 From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
 From: Nate Prewitt <nate.prewitt@gmail.com>
 Date: Wed, 25 Sep 2024 08:03:20 -0700
 Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
 ---
 src/requests/utils.py | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)
 Index: requests-2.32.3/src/requests/utils.py
 ===================================================================
 --- requests-2.32.3.orig/src/requests/utils.py
 +++ requests-2.32.3/src/requests/utils.py
@@ -233,13 +233,7 @@ def get_netrc_auth(url, raise_errors=Fal
             return
         ri = urlparse(url)
 -
 -        # Strip port numbers from netloc. This weird `if...encode`` dance is
 -        # used for Python 3.2, which doesn't support unicode literals.
 -        splitstr = b":"
 -        if isinstance(url, str):
 -            splitstr = splitstr.decode("ascii")
 -        host = ri.netloc.split(splitstr)[0]
 +        host = ri.hostname
         try:
             _netrc = netrc(netrc_path).authenticators(host)
--- a/python-requests.changes
+++ b/python-requests.changes
@@ -1,3 +1,15 @@
 -------------------------------------------------------------------
 Tue Jun 10 09:42:31 UTC 2025 - Dirk Müller <dmueller@suse.com>
 - update to 2.32.4:
  * CVE-2024-47081 Fixed an issue where a maliciously crafted URL
    and trusted environment will retrieve credentials for the wrong
    hostname/machine from a netrc file
  * Numerous documentation improvements
  * Added support for pypy 3.11 for Linux and macOS.
  * Dropped support for pypy 3.9 following its end of support.
 - drop CVE-2024-47081.patch (merged upstream)
 -------------------------------------------------------------------
 Thu Jun  5 07:22:39 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -26,7 +26,7 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-requests%{psuffix}
-Version:        2.32.3
+Version:        2.32.4
 Release:        0
 Summary:        Python HTTP Library
 License:        Apache-2.0
@@ -34,8 +34,6 @@ URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM gh#psf/requests#6731
 Patch0:         inject-default-ca-bundles.patch
 # PATCH-FIX-UPSTREAM CVE-2024-47081.patch gh#psf/requests#6965, bsc#1244039
 Patch1:         CVE-2024-47081.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
--- a/requests-2.32.3.tar.gz
+++ b/requests-2.32.3.tar.gz
--- a/requests-2.32.4.tar.gz
+++ b/requests-2.32.4.tar.gz