From f1ac59bf1f51054e43d5e63a415c51f151ab9f1093749e6ebe9af1761f75f960 Mon Sep 17 00:00:00 2001
From: Daniel Garcia <daniel.garcia@suse.com>
Date: Mon, 12 Jun 2023 12:04:25 +0000
Subject: [PATCH] - Security Update to 2.31.0 (bsc#1211674):   Versions of
 Requests between v2.3.0 and v2.30.0 are vulnerable to potential   forwarding
 of Proxy-Authorization headers to destination servers when   following HTTPS
 redirects.   When proxies are defined with user info
 (https://user:pass@proxy:8080), Requests   will construct a
 Proxy-Authorization header that is attached to the request to   authenticate
 with the proxy.   In cases where Requests receives a redirect response, it
 previously reattached   the Proxy-Authorization header incorrectly, resulting
 in the value being   sent through the tunneled connection to the destination
 server. Users who rely on   defining their proxy credentials in the URL are
 strongly encouraged to upgrade   to Requests 2.31.0+ to prevent unintentional
 leakage and rotate their proxy   credentials once the change has been fully
 deployed.   Users who do not use a proxy or do not supply their proxy
 credentials through   the user information portion of their proxy URL are not
 subject to this   vulnerability.   Full details can be read in our Github
 Security Advisory   and CVE-2023-32681.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-requests?expand=0&rev=177
---
 python-requests.changes             | 26 ++++++++++++++++++++++++++
 python-requests.spec                |  4 +---
 requests-2.30.0.tar.gz              |  3 ---
 requests-2.31.0.tar.gz              |  3 +++
 requests-no-hardcoded-version.patch | 27 ---------------------------
 5 files changed, 30 insertions(+), 33 deletions(-)
 delete mode 100644 requests-2.30.0.tar.gz
 create mode 100644 requests-2.31.0.tar.gz
 delete mode 100644 requests-no-hardcoded-version.patch

diff --git a/python-requests.changes b/python-requests.changes
index 8d2a5b9..d07c804 100644
--- a/python-requests.changes
+++ b/python-requests.changes
@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Mon Jun 12 12:02:29 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Security Update to 2.31.0 (bsc#1211674):
+  Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
+  forwarding of Proxy-Authorization headers to destination servers when
+  following HTTPS redirects.
+
+  When proxies are defined with user info (https://user:pass@proxy:8080), Requests
+  will construct a Proxy-Authorization header that is attached to the request to
+  authenticate with the proxy.
+
+  In cases where Requests receives a redirect response, it previously reattached
+  the Proxy-Authorization header incorrectly, resulting in the value being
+  sent through the tunneled connection to the destination server. Users who rely on
+  defining their proxy credentials in the URL are strongly encouraged to upgrade
+  to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
+  credentials once the change has been fully deployed.
+
+  Users who do not use a proxy or do not supply their proxy credentials through
+  the user information portion of their proxy URL are not subject to this
+  vulnerability.
+
+  Full details can be read in our Github Security Advisory
+  and CVE-2023-32681.
+
 -------------------------------------------------------------------
 Fri May  5 12:03:42 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
 
diff --git a/python-requests.spec b/python-requests.spec
index 4a5a392..5a3f87e 100644
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -26,14 +26,12 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-requests%{psuffix}
-Version:        2.30.0
+Version:        2.31.0
 Release:        0
 Summary:        Python HTTP Library
 License:        Apache-2.0
 URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM: Allow charset normalizer >=2 and <4, and don't strict require httpbin===1.0.0
-Patch0:         requests-no-hardcoded-version.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
diff --git a/requests-2.30.0.tar.gz b/requests-2.30.0.tar.gz
deleted file mode 100644
index 3b62e60..0000000
--- a/requests-2.30.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4
-size 108411
diff --git a/requests-2.31.0.tar.gz b/requests-2.31.0.tar.gz
new file mode 100644
index 0000000..74eeead
--- /dev/null
+++ b/requests-2.31.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
+size 110794
diff --git a/requests-no-hardcoded-version.patch b/requests-no-hardcoded-version.patch
deleted file mode 100644
index 76cf772..0000000
--- a/requests-no-hardcoded-version.patch
+++ /dev/null
@@ -1,27 +0,0 @@
----
- requirements-dev.txt |    2 +-
- setup.py             |    2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
---- a/requirements-dev.txt
-+++ b/requirements-dev.txt
-@@ -1,7 +1,7 @@
- -e .[socks]
- pytest>=2.8.0,<=6.2.5
- pytest-cov
--pytest-httpbin==1.0.0
-+pytest-httpbin>=1.0.0
- pytest-mock==2.0.0
- httpbin==0.7.0
- trustme
---- a/setup.py
-+++ b/setup.py
-@@ -65,7 +65,7 @@ requires = [
-     "certifi>=2017.4.17",
- ]
- test_requirements = [
--    "pytest-httpbin==0.0.7",
-+    "pytest-httpbin>=0.0.7",
-     "pytest-cov",
-     "pytest-mock",
-     "pytest-xdist",