From 3c7026ea2dd54f9ea6c20a3dc0f24d0a27e4be7e5bba66b2002d48d2c7afc0b9 Mon Sep 17 00:00:00 2001 From: Thomas Bechtold Date: Tue, 23 Apr 2019 04:14:26 +0000 Subject: [PATCH 01/10] - update to 1.25 (bsc#1132663, CVE-2019-11236): * Require and validate certificates by default when using HTTPS * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant. * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use encrypted ``key_file`` without creating your own ``SSLContext`` object. * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport ``SSLContext`` implementations. (Pull #1496) * Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft. * Fixed issue where OpenSSL would block if an encrypted client private key was given and no password was given. Instead an ``SSLError`` is raised. * Added support for Brotli content encoding. It is enabled automatically if ``brotlipy`` package is installed which can be requested with ``urllib3[brotli]`` extra. * Drop ciphers using DSS key exchange from default TLS cipher suites. Improve default ciphers when using SecureTransport. * Implemented a more efficient ``HTTPResponse.__iter__()`` method. - Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=59 --- python-urllib3.changes | 21 +++++++++++++++++++++ python-urllib3.spec | 5 +---- urllib3-1.24.2.tar.gz | 3 --- urllib3-1.25.tar.gz | 3 +++ urllib3-ssl-default-context.patch | 10 ++++++---- urllib3-test-ssl-drop-sslv3.patch | 11 ----------- 6 files changed, 31 insertions(+), 22 deletions(-) delete mode 100644 urllib3-1.24.2.tar.gz create mode 100644 urllib3-1.25.tar.gz delete mode 100644 urllib3-test-ssl-drop-sslv3.patch diff --git a/python-urllib3.changes b/python-urllib3.changes index e3faa94..93805ea 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue Apr 23 04:04:50 UTC 2019 - Thomas Bechtold + +- update to 1.25 (bsc#1132663, CVE-2019-11236): + * Require and validate certificates by default when using HTTPS + * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant. + * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use + encrypted ``key_file`` without creating your own ``SSLContext`` object. + * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport ``SSLContext`` + implementations. (Pull #1496) + * Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft. + * Fixed issue where OpenSSL would block if an encrypted client private key was + given and no password was given. Instead an ``SSLError`` is raised. + * Added support for Brotli content encoding. It is enabled automatically if + ``brotlipy`` package is installed which can be requested with + ``urllib3[brotli]`` extra. + * Drop ciphers using DSS key exchange from default TLS cipher suites. + Improve default ciphers when using SecureTransport. + * Implemented a more efficient ``HTTPResponse.__iter__()`` method. +- Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed + ------------------------------------------------------------------- Thu Apr 18 00:02:07 CEST 2019 - Matej Cepl diff --git a/python-urllib3.spec b/python-urllib3.spec index b15aec4..b55d20b 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -31,7 +31,7 @@ Name: python-urllib3-%{flavor} %else Name: python-urllib3 %endif -Version: 1.24.2 +Version: 1.25 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT @@ -41,8 +41,6 @@ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3 # PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate path is supplied # should be removed in the future, see SR#437853 Patch2: urllib3-ssl-default-context.patch -# PATCH-FIX-OPENSUSE -- do not use unsupported SSLv3 in tests -Patch3: urllib3-test-ssl-drop-sslv3.patch # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date Patch4: python-urllib3-recent-date.patch BuildRequires: %{python_module PySocks} @@ -91,7 +89,6 @@ Highlights %prep %setup -q -n urllib3-%{version} %patch2 -p1 -%patch3 -p1 %patch4 -p1 find . -type f -exec chmod a-x '{}' \; diff --git a/urllib3-1.24.2.tar.gz b/urllib3-1.24.2.tar.gz deleted file mode 100644 index 9f20240..0000000 --- a/urllib3-1.24.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9a247273df709c4fedb38c711e44292304f73f39ab01beda9f6b9fc375669ac3 -size 230699 diff --git a/urllib3-1.25.tar.gz b/urllib3-1.25.tar.gz new file mode 100644 index 0000000..3a15bce --- /dev/null +++ b/urllib3-1.25.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f03eeb431c77b88cf8747d47e94233a91d0e0fdae1cf09e0b21405a885700266 +size 409895 diff --git a/urllib3-ssl-default-context.patch b/urllib3-ssl-default-context.patch index 7e399ec..df0cb50 100644 --- a/urllib3-ssl-default-context.patch +++ b/urllib3-ssl-default-context.patch @@ -1,5 +1,7 @@ ---- a/src/urllib3/util/ssl_.py -+++ b/src/urllib3/util/ssl_.py +Index: urllib3-1.25/src/urllib3/util/ssl_.py +=================================================================== +--- urllib3-1.25.orig/src/urllib3/util/ssl_.py ++++ urllib3-1.25/src/urllib3/util/ssl_.py @@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None, elif ssl_context is None and hasattr(context, 'load_default_certs'): # try to load OS default certs; works well on Windows (require Python3.4+) @@ -7,5 +9,5 @@ + elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'): + context.set_default_verify_paths() - if certfile: - context.load_cert_chain(certfile, keyfile) + # Attempt to detect if we get the goofy behavior of the + # keyfile being encrypted and OpenSSL asking for the diff --git a/urllib3-test-ssl-drop-sslv3.patch b/urllib3-test-ssl-drop-sslv3.patch deleted file mode 100644 index 8c2b7a1..0000000 --- a/urllib3-test-ssl-drop-sslv3.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/test/with_dummyserver/test_https.py -+++ b/test/with_dummyserver/test_https.py -@@ -557,7 +557,7 @@ class TestHTTPS(HTTPSDummyServerTestCase - - class TestHTTPS_TLSv1(HTTPSDummyServerTestCase): - certs = DEFAULT_CERTS.copy() -- certs['ssl_version'] = ssl.PROTOCOL_TLSv1 -+ certs['ssl_version'] = ssl.PROTOCOL_TLSv1_2 - - def setUp(self): - self._pool = HTTPSConnectionPool(self.host, self.port) From 895bd350a6390ffdaa6ca28d2d33c84fa5ba4de68d399d90e0c1d0d67a7b2fd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 23 Apr 2019 10:39:55 +0000 Subject: [PATCH 02/10] - Add missing dependency on brotlipy - Fix the tests to pass again OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=60 --- python-urllib3.changes | 6 ++++++ python-urllib3.spec | 14 ++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/python-urllib3.changes b/python-urllib3.changes index 93805ea..d8f30e0 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal + +- Add missing dependency on brotlipy +- Fix the tests to pass again + ------------------------------------------------------------------- Tue Apr 23 04:04:50 UTC 2019 - Thomas Bechtold diff --git a/python-urllib3.spec b/python-urllib3.spec index b55d20b..272f85d 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -49,9 +49,12 @@ BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros %if %{with test} +BuildRequires: %{python_module brotlipy} +BuildRequires: %{python_module idna} BuildRequires: %{python_module mock >= 1.3.0} BuildRequires: %{python_module pytest} BuildRequires: %{python_module tornado >= 4.2.1} +BuildRequires: %{python_module urllib3 >= %{version}} %endif #!BuildIgnore: python-requests BuildArch: noarch @@ -61,6 +64,7 @@ Recommends: python-cryptography Recommends: python-idna Recommends: python-ndg-httpsclient Recommends: python-pyOpenSSL +Recommends: python-brotlipy %endif # for SSL module on older distros BuildRequires: %{oldpython} @@ -91,17 +95,20 @@ Highlights %patch2 -p1 %patch4 -p1 find . -type f -exec chmod a-x '{}' \; +find . -name __pycache__ -type d -exec rm -fr {} + %build %python_build %install +%if !%{with test} %python_install %{python_expand \ $python -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/ $python -O -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/ %fdupes %{buildroot}%{$python_sitelib} } +%endif %check %if %{with test} @@ -113,20 +120,19 @@ esac rm -rf build # pretend to be TRAVIS (this triggers timing tolerance) -export TRAVIS=1 -%{python_expand PYTHONPATH="%{buildroot}%{$python_sitelib}" py.test-%$python_bin_suffix \ +export PYTHONDONTWRITEBYTECODE=1 +%{python_expand PYTHONPATH="%{$python_sitelib}" py.test-%{$python_bin_suffix} -v \ --ignore=test/appengine \ --ignore=test/with_dummyserver/test_proxy_poolmanager.py \ --ignore=test/with_dummyserver/test_poolmanager.py \ -k "${skiplist}" \ src/urllib3 test} -rm -rf %{buildroot}%{_libexecdir}/python* %endif +%if ! %{with test} %files %{python_files} %license LICENSE.txt %doc CHANGES.rst CONTRIBUTORS.txt README.rst -%if ! %{with test} %{python_sitelib}/urllib3 %{python_sitelib}/urllib3-%{version}-py*.egg-info %endif From 74e303d45b430432527c749f1f3a8d6a004bf380c1aedebb0e76188df557b746 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 30 Apr 2019 10:46:53 +0000 Subject: [PATCH 03/10] Accepting request 699612 from home:mcepl:branches:devel:languages:python - Updated to 1.25.2: - Add support for Google's Brotli package. (gh#urllib3/urllib3#1572, gh#urllib3/urllib3#1579) - Upgrade bundled rfc3986 to v1.3.1 (gh#urllib3/urllib3#1578) - Add fix-tests-no-fail-bpo-30458.patch to work around our Python has fixed bpo#30458. OBS-URL: https://build.opensuse.org/request/show/699612 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=61 --- fix-tests-no-fail-bpo-30458.patch | 11 +++++++++++ python-urllib3-recent-date.patch | 2 +- python-urllib3.changes | 10 ++++++++++ python-urllib3.spec | 7 ++++++- urllib3-1.25.2.tar.gz | 3 +++ urllib3-1.25.tar.gz | 3 --- 6 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 fix-tests-no-fail-bpo-30458.patch create mode 100644 urllib3-1.25.2.tar.gz delete mode 100644 urllib3-1.25.tar.gz diff --git a/fix-tests-no-fail-bpo-30458.patch b/fix-tests-no-fail-bpo-30458.patch new file mode 100644 index 0000000..be9152a --- /dev/null +++ b/fix-tests-no-fail-bpo-30458.patch @@ -0,0 +1,11 @@ +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -689,7 +689,7 @@ class TestConnectionPool(HTTPDummyServer + for addr in INVALID_SOURCE_ADDRESSES: + pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False) + # FIXME: This assert flakes sometimes. Not sure why. +- self.assertRaises(NewConnectionError, ++ self.assertRaises((NewConnectionError, ValueError), + pool.request, + 'GET', '/source_address?{0}'.format(addr)) + diff --git a/python-urllib3-recent-date.patch b/python-urllib3-recent-date.patch index 198b0d8..abe869c 100644 --- a/python-urllib3-recent-date.patch +++ b/python-urllib3-recent-date.patch @@ -15,7 +15,7 @@ Fixes #1303 --- a/src/urllib3/connection.py +++ b/src/urllib3/connection.py -@@ -59,7 +59,7 @@ port_by_scheme = { +@@ -60,7 +60,7 @@ port_by_scheme = { # and not less than 6 months ago. # Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) diff --git a/python-urllib3.changes b/python-urllib3.changes index d8f30e0..0ba060d 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Apr 30 12:27:37 CEST 2019 - Matej Cepl + +- Updated to 1.25.2: + - Add support for Google's Brotli package. + (gh#urllib3/urllib3#1572, gh#urllib3/urllib3#1579) + - Upgrade bundled rfc3986 to v1.3.1 (gh#urllib3/urllib3#1578) +- Add fix-tests-no-fail-bpo-30458.patch to work around our Python + has fixed bpo#30458. + ------------------------------------------------------------------- Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index 272f85d..5ead88f 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -31,7 +31,7 @@ Name: python-urllib3-%{flavor} %else Name: python-urllib3 %endif -Version: 1.25 +Version: 1.25.2 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT @@ -43,6 +43,10 @@ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3 Patch2: urllib3-ssl-default-context.patch # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date Patch4: python-urllib3-recent-date.patch +# PATCH-FIX-OPENSUSE fix-tests-no-fail-bpo-30458.patch bsc#1130840 mcepl@suse.com +# Work around the fact that the incorrect URL in question is caught +# already by our Python itself. +Patch5: fix-tests-no-fail-bpo-30458.patch BuildRequires: %{python_module PySocks} BuildRequires: %{python_module psutil} BuildRequires: %{python_module setuptools} @@ -94,6 +98,7 @@ Highlights %setup -q -n urllib3-%{version} %patch2 -p1 %patch4 -p1 +%patch5 -p1 find . -type f -exec chmod a-x '{}' \; find . -name __pycache__ -type d -exec rm -fr {} + diff --git a/urllib3-1.25.2.tar.gz b/urllib3-1.25.2.tar.gz new file mode 100644 index 0000000..5f3512f --- /dev/null +++ b/urllib3-1.25.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a53063d8b9210a7bdec15e7b272776b9d42b2fd6816401a0d43006ad2f9902db +size 261479 diff --git a/urllib3-1.25.tar.gz b/urllib3-1.25.tar.gz deleted file mode 100644 index 3a15bce..0000000 --- a/urllib3-1.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f03eeb431c77b88cf8747d47e94233a91d0e0fdae1cf09e0b21405a885700266 -size 409895 From ccbae0c7b57468885118022104a4e51eb91295387d483555b31fa1e239ccf48f Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 2 May 2019 08:38:20 +0000 Subject: [PATCH 04/10] Accepting request 700045 from devel:languages:python Revert to rev 60. OBS-URL: https://build.opensuse.org/request/show/700045 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=62 --- fix-tests-no-fail-bpo-30458.patch | 11 ----------- python-urllib3-recent-date.patch | 2 +- python-urllib3.changes | 10 ---------- python-urllib3.spec | 7 +------ urllib3-1.25.2.tar.gz | 3 --- urllib3-1.25.tar.gz | 3 +++ 6 files changed, 5 insertions(+), 31 deletions(-) delete mode 100644 fix-tests-no-fail-bpo-30458.patch delete mode 100644 urllib3-1.25.2.tar.gz create mode 100644 urllib3-1.25.tar.gz diff --git a/fix-tests-no-fail-bpo-30458.patch b/fix-tests-no-fail-bpo-30458.patch deleted file mode 100644 index be9152a..0000000 --- a/fix-tests-no-fail-bpo-30458.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/test/with_dummyserver/test_connectionpool.py -+++ b/test/with_dummyserver/test_connectionpool.py -@@ -689,7 +689,7 @@ class TestConnectionPool(HTTPDummyServer - for addr in INVALID_SOURCE_ADDRESSES: - pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False) - # FIXME: This assert flakes sometimes. Not sure why. -- self.assertRaises(NewConnectionError, -+ self.assertRaises((NewConnectionError, ValueError), - pool.request, - 'GET', '/source_address?{0}'.format(addr)) - diff --git a/python-urllib3-recent-date.patch b/python-urllib3-recent-date.patch index abe869c..198b0d8 100644 --- a/python-urllib3-recent-date.patch +++ b/python-urllib3-recent-date.patch @@ -15,7 +15,7 @@ Fixes #1303 --- a/src/urllib3/connection.py +++ b/src/urllib3/connection.py -@@ -60,7 +60,7 @@ port_by_scheme = { +@@ -59,7 +59,7 @@ port_by_scheme = { # and not less than 6 months ago. # Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) diff --git a/python-urllib3.changes b/python-urllib3.changes index 0ba060d..d8f30e0 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,13 +1,3 @@ -------------------------------------------------------------------- -Tue Apr 30 12:27:37 CEST 2019 - Matej Cepl - -- Updated to 1.25.2: - - Add support for Google's Brotli package. - (gh#urllib3/urllib3#1572, gh#urllib3/urllib3#1579) - - Upgrade bundled rfc3986 to v1.3.1 (gh#urllib3/urllib3#1578) -- Add fix-tests-no-fail-bpo-30458.patch to work around our Python - has fixed bpo#30458. - ------------------------------------------------------------------- Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index 5ead88f..272f85d 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -31,7 +31,7 @@ Name: python-urllib3-%{flavor} %else Name: python-urllib3 %endif -Version: 1.25.2 +Version: 1.25 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT @@ -43,10 +43,6 @@ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3 Patch2: urllib3-ssl-default-context.patch # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date Patch4: python-urllib3-recent-date.patch -# PATCH-FIX-OPENSUSE fix-tests-no-fail-bpo-30458.patch bsc#1130840 mcepl@suse.com -# Work around the fact that the incorrect URL in question is caught -# already by our Python itself. -Patch5: fix-tests-no-fail-bpo-30458.patch BuildRequires: %{python_module PySocks} BuildRequires: %{python_module psutil} BuildRequires: %{python_module setuptools} @@ -98,7 +94,6 @@ Highlights %setup -q -n urllib3-%{version} %patch2 -p1 %patch4 -p1 -%patch5 -p1 find . -type f -exec chmod a-x '{}' \; find . -name __pycache__ -type d -exec rm -fr {} + diff --git a/urllib3-1.25.2.tar.gz b/urllib3-1.25.2.tar.gz deleted file mode 100644 index 5f3512f..0000000 --- a/urllib3-1.25.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a53063d8b9210a7bdec15e7b272776b9d42b2fd6816401a0d43006ad2f9902db -size 261479 diff --git a/urllib3-1.25.tar.gz b/urllib3-1.25.tar.gz new file mode 100644 index 0000000..3a15bce --- /dev/null +++ b/urllib3-1.25.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f03eeb431c77b88cf8747d47e94233a91d0e0fdae1cf09e0b21405a885700266 +size 409895 From e397a5c391d6df14b1b263ae87543984b6f9070ad1a9deeb07e8508795dbc6ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 6 May 2019 11:21:12 +0000 Subject: [PATCH 05/10] - Update to 1.25.2: * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583) * Change parse_url to percent-encode invalid characters within the path, query, and target components. (Pull #1586) * Add support for Google's Brotli package. (Pull #1572, Pull #1579) * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578) - Require all the deps from the secure list rather than Recommend. This makes the check to be run always and ensure the urls are "secure". - Remove ndg-httpsclient as it is not needed since 2015 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=63 --- python-urllib3.changes | 13 +++++++++++++ python-urllib3.spec | 31 +++++++++++++------------------ urllib3-1.25.2.tar.gz | 3 +++ urllib3-1.25.tar.gz | 3 --- 4 files changed, 29 insertions(+), 21 deletions(-) create mode 100644 urllib3-1.25.2.tar.gz delete mode 100644 urllib3-1.25.tar.gz diff --git a/python-urllib3.changes b/python-urllib3.changes index d8f30e0..98189c6 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon May 6 11:18:36 UTC 2019 - Tomáš Chvátal + +- Update to 1.25.2: + * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583) + * Change parse_url to percent-encode invalid characters within the path, query, and target components. (Pull #1586) + * Add support for Google's Brotli package. (Pull #1572, Pull #1579) + * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578) +- Require all the deps from the secure list rather than Recommend. + This makes the check to be run always and ensure the urls are + "secure". +- Remove ndg-httpsclient as it is not needed since 2015 + ------------------------------------------------------------------- Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index 272f85d..195e883 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -18,20 +18,16 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python - %global flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "test" -%define test 1 +%define psuffix -test %bcond_without test %else +%define psuffix %{nil} %bcond_with test %endif -%if %{with test} -Name: python-urllib3-%{flavor} -%else -Name: python-urllib3 -%endif -Version: 1.25 +Name: python-urllib3%{psuffix} +Version: 1.25.2 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT @@ -43,11 +39,20 @@ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3 Patch2: urllib3-ssl-default-context.patch # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date Patch4: python-urllib3-recent-date.patch +# for SSL module on older distros +BuildRequires: %{oldpython} BuildRequires: %{python_module PySocks} BuildRequires: %{python_module psutil} BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros +BuildRequires: python2-ipaddress +#!BuildIgnore: python-requests +Requires: ca-certificates-mozilla +Requires: python-cryptography +Requires: python-idna +Requires: python-pyOpenSSL +BuildArch: noarch %if %{with test} BuildRequires: %{python_module brotlipy} BuildRequires: %{python_module idna} @@ -56,19 +61,9 @@ BuildRequires: %{python_module pytest} BuildRequires: %{python_module tornado >= 4.2.1} BuildRequires: %{python_module urllib3 >= %{version}} %endif -#!BuildIgnore: python-requests -BuildArch: noarch %if 0%{?suse_version} >= 1000 || 0%{?fedora_version} >= 24 -Recommends: ca-certificates-mozilla -Recommends: python-cryptography -Recommends: python-idna -Recommends: python-ndg-httpsclient -Recommends: python-pyOpenSSL Recommends: python-brotlipy %endif -# for SSL module on older distros -BuildRequires: %{oldpython} -BuildRequires: python2-ipaddress %ifpython2 Requires: python-ipaddress %endif diff --git a/urllib3-1.25.2.tar.gz b/urllib3-1.25.2.tar.gz new file mode 100644 index 0000000..5f3512f --- /dev/null +++ b/urllib3-1.25.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a53063d8b9210a7bdec15e7b272776b9d42b2fd6816401a0d43006ad2f9902db +size 261479 diff --git a/urllib3-1.25.tar.gz b/urllib3-1.25.tar.gz deleted file mode 100644 index 3a15bce..0000000 --- a/urllib3-1.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f03eeb431c77b88cf8747d47e94233a91d0e0fdae1cf09e0b21405a885700266 -size 409895 From b0e8647f51bef6bb486f242b82996c80ea21eb965a95b2064c2ebce64267dd3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 29 May 2019 07:57:50 +0000 Subject: [PATCH 06/10] - Update to 1.25.3: * Change HTTPSConnection to load system CA certificates when ca_certs, ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603) * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=64 --- python-urllib3.changes | 7 +++++++ python-urllib3.spec | 11 ++--------- urllib3-1.25.2.tar.gz | 3 --- urllib3-1.25.3.tar.gz | 3 +++ 4 files changed, 12 insertions(+), 12 deletions(-) delete mode 100644 urllib3-1.25.2.tar.gz create mode 100644 urllib3-1.25.3.tar.gz diff --git a/python-urllib3.changes b/python-urllib3.changes index 98189c6..681ab3f 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri May 24 19:16:21 UTC 2019 - Tomáš Chvátal + +- Update to 1.25.3: + * Change HTTPSConnection to load system CA certificates when ca_certs, ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603) + * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605) + ------------------------------------------------------------------- Mon May 6 11:18:36 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index 195e883..de77ab2 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -27,7 +27,7 @@ %bcond_with test %endif Name: python-urllib3%{psuffix} -Version: 1.25.2 +Version: 1.25.3 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT @@ -113,15 +113,8 @@ ppc*) skiplist="$skiplist and not test_select_timing and not test_select_multiple_interrupts_with_event and not test_interrupt_wait_for_read_with_event and not test_select_interrupt_with_event";; esac -rm -rf build -# pretend to be TRAVIS (this triggers timing tolerance) export PYTHONDONTWRITEBYTECODE=1 -%{python_expand PYTHONPATH="%{$python_sitelib}" py.test-%{$python_bin_suffix} -v \ - --ignore=test/appengine \ - --ignore=test/with_dummyserver/test_proxy_poolmanager.py \ - --ignore=test/with_dummyserver/test_poolmanager.py \ - -k "${skiplist}" \ - src/urllib3 test} +%pytest -k "${skiplist}" %endif %if ! %{with test} diff --git a/urllib3-1.25.2.tar.gz b/urllib3-1.25.2.tar.gz deleted file mode 100644 index 5f3512f..0000000 --- a/urllib3-1.25.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a53063d8b9210a7bdec15e7b272776b9d42b2fd6816401a0d43006ad2f9902db -size 261479 diff --git a/urllib3-1.25.3.tar.gz b/urllib3-1.25.3.tar.gz new file mode 100644 index 0000000..57066aa --- /dev/null +++ b/urllib3-1.25.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232 +size 262150 From b5dc6c76c325821afef6cfbd3ceb849e9491d9a6e96025e8775c9f0acc179d29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 29 May 2019 08:26:07 +0000 Subject: [PATCH 07/10] - Unbundle the six, rfc3986, and backports.ssl_match_hostname OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=65 --- python-urllib3.changes | 5 ++++ python-urllib3.spec | 56 +++++++++++++++++++++++++++++++++++---- ssl_match_hostname_py3.py | 1 + 3 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 ssl_match_hostname_py3.py diff --git a/python-urllib3.changes b/python-urllib3.changes index 681ab3f..1dab00d 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed May 29 08:20:27 UTC 2019 - Tomáš Chvátal + +- Unbundle the six, rfc3986, and backports.ssl_match_hostname + ------------------------------------------------------------------- Fri May 24 19:16:21 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index de77ab2..c3f69ba 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -34,17 +34,22 @@ License: MIT Group: Development/Languages/Python URL: http://urllib3.readthedocs.org/ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz +# Wrapper for ssl to unbundle ssl_match_hostname +Source1: ssl_match_hostname_py3.py # PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate path is supplied # should be removed in the future, see SR#437853 -Patch2: urllib3-ssl-default-context.patch +Patch0: urllib3-ssl-default-context.patch # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date -Patch4: python-urllib3-recent-date.patch +Patch1: python-urllib3-recent-date.patch # for SSL module on older distros BuildRequires: %{oldpython} BuildRequires: %{python_module PySocks} BuildRequires: %{python_module psutil} +BuildRequires: %{python_module rfc3986} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module six} BuildRequires: fdupes +BuildRequires: python-backports.ssl_match_hostname BuildRequires: python-rpm-macros BuildRequires: python2-ipaddress #!BuildIgnore: python-requests @@ -52,7 +57,12 @@ Requires: ca-certificates-mozilla Requires: python-cryptography Requires: python-idna Requires: python-pyOpenSSL +Requires: python-rfc3986 +Requires: python-six BuildArch: noarch +%ifpython2 +Requires: python-backports.ssl_match_hostname +%endif %if %{with test} BuildRequires: %{python_module brotlipy} BuildRequires: %{python_module idna} @@ -87,22 +97,58 @@ Highlights %prep %setup -q -n urllib3-%{version} -%patch2 -p1 -%patch4 -p1 +%autopatch -p1 find . -type f -exec chmod a-x '{}' \; find . -name __pycache__ -type d -exec rm -fr {} + +# Drop the dummyserver tests, they fail in OBS +rm test/with_dummyserver/test_proxy_poolmanager.py +rm test/with_dummyserver/test_poolmanager.py +# Don't run the Google App Engine tests +rm -r test/appengine/ + %build %python_build %install %if !%{with test} %python_install + %{python_expand \ $python -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/ $python -O -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/ -%fdupes %{buildroot}%{$python_sitelib} } + +# Unbundle the Python 2 build +rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py* +rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname/ +rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986/ + +mkdir -p %{buildroot}/%{python2_sitelib}/urllib3/packages/ +ln -s %{python2_sitelib}/six.py %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py +ln -s %{python2_sitelib}/six.pyc %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyc +ln -s %{python2_sitelib}/six.pyo %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyo +ln -s %{python2_sitelib}/backports/ssl_match_hostname \ + %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname +ln -s %{python2_sitelib}/rfc3986/ \ + %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986 +# Unbundle the Python 3 build +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py* +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six* +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/ +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986/ + +mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/ +cp -a %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py +ln -s %{python3_sitelib}/six.py %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py +ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ +ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ +ln -s %{python3_sitelib}/rfc3986/ \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986 + +%python_expand %fdupes %{buildroot}%{$python_sitelib} %endif %check diff --git a/ssl_match_hostname_py3.py b/ssl_match_hostname_py3.py new file mode 100644 index 0000000..963d16e --- /dev/null +++ b/ssl_match_hostname_py3.py @@ -0,0 +1 @@ +from ssl import match_hostname, CertificateError From 2925034da743fe37ce8ec6ea0903adcc4b1bb59f427b6f1997b5159ec17c3454 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 29 May 2019 08:37:50 +0000 Subject: [PATCH 08/10] OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=66 --- python-urllib3.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-urllib3.spec b/python-urllib3.spec index c3f69ba..91bda74 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -153,7 +153,7 @@ ln -s %{python3_sitelib}/rfc3986/ \ %check %if %{with test} -skiplist='not test_select_interrupt_exception and not test_selector_error and not timeout and not test_request_host_header_ignores_fqdn_dot and not test_dotted_fqdn' +skiplist='not test_select_interrupt_exception and not test_selector_error and not timeout and not test_request_host_header_ignores_fqdn_dot and not test_dotted_fqdn and not TestImportWithoutSSL' case $(uname -m) in ppc*) skiplist="$skiplist and not test_select_timing and not test_select_multiple_interrupts_with_event and not test_interrupt_wait_for_read_with_event and not test_select_interrupt_with_event";; From f67d02d92474df82758dc1f589d81ca7ff4980ec9809d7353486de1138066945 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 29 May 2019 08:59:51 +0000 Subject: [PATCH 09/10] - Add more test to skip as with new openssl some behaviour changed and we can't rely on them anymore OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=67 --- python-urllib3.changes | 6 ++++++ python-urllib3.spec | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/python-urllib3.changes b/python-urllib3.changes index 1dab00d..d0b43d3 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed May 29 08:59:29 UTC 2019 - Tomáš Chvátal + +- Add more test to skip as with new openssl some behaviour changed + and we can't rely on them anymore + ------------------------------------------------------------------- Wed May 29 08:20:27 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index 91bda74..4a3aeca 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -158,6 +158,12 @@ case $(uname -m) in ppc*) skiplist="$skiplist and not test_select_timing and not test_select_multiple_interrupts_with_event and not test_interrupt_wait_for_read_with_event and not test_select_interrupt_with_event";; esac +# the tls13 tests are not run in upstream travis and they fail for us +# lets wait for upstream to sort it out first +skiplist="$skiplist and not test_set_ssl_version_to_tls_version" +# the certificate validation is much stricter in new openssl so skip +# tests which would not validate it +skiplist="$skiplist and not test_client_no_intermediate" export PYTHONDONTWRITEBYTECODE=1 %pytest -k "${skiplist}" From d9ccae276f3ff6aef8494b5f1a2a49ff70738aaaa139dcb5afc99f300b60c4d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Fri, 7 Jun 2019 11:40:42 +0000 Subject: [PATCH 10/10] - Skip test_source_address_error as we raise different error with fixes that we provide in new python2/3 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=68 --- python-urllib3.changes | 6 ++++++ python-urllib3.spec | 3 +++ 2 files changed, 9 insertions(+) diff --git a/python-urllib3.changes b/python-urllib3.changes index d0b43d3..da06827 100644 --- a/python-urllib3.changes +++ b/python-urllib3.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jun 7 11:40:05 UTC 2019 - Tomáš Chvátal + +- Skip test_source_address_error as we raise different error with + fixes that we provide in new python2/3 + ------------------------------------------------------------------- Wed May 29 08:59:29 UTC 2019 - Tomáš Chvátal diff --git a/python-urllib3.spec b/python-urllib3.spec index 4a3aeca..8cc5ba3 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -164,6 +164,9 @@ skiplist="$skiplist and not test_set_ssl_version_to_tls_version" # the certificate validation is much stricter in new openssl so skip # tests which would not validate it skiplist="$skiplist and not test_client_no_intermediate" +# we have patch to fix source address errors in python and raise different +# error than urllib3 expects in its tests +skiplist="$skiplist and not test_source_address_error" export PYTHONDONTWRITEBYTECODE=1 %pytest -k "${skiplist}"