Accepting request 1282999 from devel:languages:python

- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak (gh#psf/requests#6965, CVE-2024-47081, bsc#1244039) OBS-URL: https://build.opensuse.org/request/show/1282999 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-requests?expand=0&rev=86
2025-06-10 06:57:19 +00:00
parent 4f1a69adae 80d695dbb7
commit c36468b791
3 changed files with 37 additions and 1 deletions
--- a/CVE-2024-47081.patch
+++ b/CVE-2024-47081.patch
@@ -0,0 +1,28 @@
+From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+---
+ src/requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+Index: requests-2.32.3/src/requests/utils.py
+===================================================================
+--- requests-2.32.3.orig/src/requests/utils.py
+++ requests-2.32.3/src/requests/utils.py
+@@ -233,13 +233,7 @@ def get_netrc_auth(url, raise_errors=Fal
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b":"
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode("ascii")
+-        host = ri.netloc.split(splitstr)[0]
+        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
--- a/python-requests.changes
+++ b/python-requests.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jun  5 07:22:39 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
+  (gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
+
 -------------------------------------------------------------------
 Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

--- a/python-requests.spec
+++ b/python-requests.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-requests
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -34,6 +34,8 @@ URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM gh#psf/requests#6731
 Patch0:         inject-default-ca-bundles.patch
+# PATCH-FIX-UPSTREAM CVE-2024-47081.patch gh#psf/requests#6965, bsc#1244039
+Patch1:         CVE-2024-47081.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}