python/python-requests
SHA256
14
0
Fork 0
forked from pool/python-requests
Code Pull Requests Activity

Accepting request 1282999 from devel:languages:python

Browse Source 
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
  (gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)

OBS-URL: https://build.opensuse.org/request/show/1282999
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-requests?expand=0&rev=86
This commit is contained in:
Ana Guerrero
2025-06-10 06:57:19 +00:00
committed by Git OBS Bridge
parent 4f1a69adae 80d695dbb7
commit c36468b791
3 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2024-47081.patch Normal file
View File

@@ -0,0 +1,28 @@
From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Wed, 25 Sep 2024 08:03:20 -0700
Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
---
src/requests/utils.py | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
Index: requests-2.32.3/src/requests/utils.py
===================================================================
--- requests-2.32.3.orig/src/requests/utils.py
+++ requests-2.32.3/src/requests/utils.py
@@ -233,13 +233,7 @@ def get_netrc_auth(url, raise_errors=Fal
return
ri = urlparse(url)
-
- # Strip port numbers from netloc. This weird `if...encode`` dance is
- # used for Python 3.2, which doesn't support unicode literals.
- splitstr = b":"
- if isinstance(url, str):
- splitstr = splitstr.decode("ascii")
- host = ri.netloc.split(splitstr)[0]
+ host = ri.hostname
try:
_netrc = netrc(netrc_path).authenticators(host)

6
python-requests.changes
View File

@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Jun 5 07:22:39 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
(gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com> Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

4
python-requests.spec
View File

@@ -1,7 +1,7 @@
# #
# spec file for package python-requests # spec file for package python-requests
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2025 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@@ -34,6 +34,8 @@ URL: https://docs.python-requests.org/
Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
# PATCH-FIX-UPSTREAM gh#psf/requests#6731 # PATCH-FIX-UPSTREAM gh#psf/requests#6731
Patch0: inject-default-ca-bundles.patch Patch0: inject-default-ca-bundles.patch
# PATCH-FIX-UPSTREAM CVE-2024-47081.patch gh#psf/requests#6965, bsc#1244039
Patch1: CVE-2024-47081.patch
BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module pip} BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools} BuildRequires: %{python_module setuptools}