import python-urllib3-1.26.5-6.el9

c9-beta imports/c9-beta/python-urllib3-1.26.5-6.el9
MSVSphere Packaging Team 3 months ago
parent b3ef948ead
commit 4890342dc7
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -0,0 +1,38 @@
From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001
From: Hasan Ramezani <hasan.r67@gmail.com>
Date: Thu, 20 Jan 2022 15:56:02 +0100
Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS
---
src/urllib3/poolmanager.py | 1 +
test/with_dummyserver/test_poolmanager.py | 5 +++++
2 files changed, 6 insertions(+)
diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
index 3a31a285bf..ca4ec34118 100644
--- a/src/urllib3/poolmanager.py
+++ b/src/urllib3/poolmanager.py
@@ -34,6 +34,7 @@
"ca_cert_dir",
"ssl_context",
"key_password",
+ "server_hostname",
)
# All known keyword arguments that could be provided to the pool manager, its
diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
index d877cc99ac..fa07a372a9 100644
--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
@@ -346,6 +346,11 @@ def test_http_with_ssl_keywords(self):
r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
assert r.status == 200
+ def test_http_with_server_hostname(self):
+ with PoolManager(server_hostname="example.com") as http:
+ r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
+ assert r.status == 200
+
def test_http_with_ca_cert_dir(self):
with PoolManager(ca_certs="REQUIRED", ca_cert_dir="/nosuchdir") as http:
r = http.request("GET", "http://%s:%s/" % (self.host, self.port))

@ -0,0 +1,66 @@
From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Wed, 26 Jun 2024 15:56:34 +0200
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* [1.26] Strip Proxy-Authorization header on redirects
* Set release date
---
src/urllib3/util/retry.py | 4 +++-
test/test_retry.py | 6 +++++-
test/test_retry_deprecated.py | 6 +++++-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 63c02ee..42fa619 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -217,7 +217,9 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Maximum backoff time.
BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index e9270bb..cf60bf1 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -293,7 +293,11 @@ class TestRetry(object):
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ assert retry.remove_headers_on_redirect == {
+ "authorization",
+ "proxy-authorization",
+ "cookie",
+ }
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
index d18f94c..a107f7b 100644
--- a/test/test_retry_deprecated.py
+++ b/test/test_retry_deprecated.py
@@ -295,7 +295,11 @@ class TestRetry(object):
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ assert retry.remove_headers_on_redirect == {
+ "authorization",
+ "proxy-authorization",
+ "cookie",
+ }
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
--
2.44.0

@ -6,7 +6,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 1.26.5 Version: 1.26.5
Release: 5%{?dist} Release: 6%{?dist}
Summary: Python HTTP library with thread-safe connection pooling and file post Summary: Python HTTP library with thread-safe connection pooling and file post
License: MIT License: MIT
@ -32,6 +32,17 @@ Patch1: CVE-2023-43804.patch
# Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 # Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
Patch2: CVE-2023-45803.patch Patch2: CVE-2023-45803.patch
# PoolManager.urlopen fails with TypeError for http connection if the PoolManager is instantiated with server_hostname
# Tracking bug: https://issues.redhat.com/browse/RHEL-39285
# Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5
Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch
# CVE-2024-37891
# Proxy-authorization request header is not stripped during cross-origin redirects.
# Tracking bug: https://issues.redhat.com/browse/RHEL-43172
# Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
Patch4: CVE-2024-37891.patch
%description %description
Python HTTP module with connection pooling and file POST abilities. Python HTTP module with connection pooling and file POST abilities.
@ -134,6 +145,13 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
%changelog %changelog
* Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6
- Security fix for CVE-2024-37891
- Backport upstream patch to fix TypeError for http connection if the PoolManager
- is instantiated with server_hostname
Resolves: RHEL-43172
Resolves: RHEL-39285
* Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5 * Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5
- Security fix for CVE-2023-45803 - Security fix for CVE-2023-45803
Resolves: RHEL-16874 Resolves: RHEL-16874

Loading…
Cancel
Save