diff --git a/CVE-2023-32681.patch b/CVE-2023-32681.patch new file mode 100644 index 0000000000000000000000000000000000000000..2b4cd79a3ad4207cdc0d3f391f7a4521a7044099 --- /dev/null +++ b/CVE-2023-32681.patch @@ -0,0 +1,56 @@ +From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Mon, 22 May 2023 08:08:57 -0700 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index 6cb3b4dae3..dbcf2a7b0e 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers["Proxy-Authorization"] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index b1c8dd4534..b420c44d73 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin): + + assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + ++ ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ("user", "pass") + wrong_auth = ("wronguser", "wrongpass") diff --git a/python-requests.spec b/python-requests.spec index eb39a2c412cbb5ae3abcf18fd08f5d275e5dd6c9..3a37fe2505190983c722f8b709e263ac142708a2 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -2,14 +2,13 @@ Summary: A simple, yet elegant, HTTP library Name: python-requests -Version: 2.28.1 -Release: 5%{?dist} +Version: 2.28.2 +Release: 1%{?dist} License: ASL 2.0 URL: https://pypi.io/project/requests Source0: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz -Patch3000: requests-2.28.1-system-certs.patch -Patch3001: requests-2.28.1-tests_nonet.patch +Patch0001: https://github.com/psf/requests/commit/74ea7cf7a6.patch#/CVE-2023-32681.patch BuildRequires: python%{python3_pkgversion}-devel pyproject-rpm-macros %if %{with tests} @@ -55,7 +54,7 @@ sed -i 's/ --doctest-modules//' pyproject.toml %if %{with tests} %check -%pytest -v -k "not (test_connect_timeout or test_total_timeout_connect)" +%pytest -v %endif %files -n python%{python3_pkgversion}-requests -f %{pyproject_files} @@ -63,6 +62,9 @@ sed -i 's/ --doctest-modules//' pyproject.toml %doc README.md HISTORY.md %changelog +* Thu Sep 21 2023 Shuo Wang - 2.28.2-1 +- update to 2.28.2 + * Tue Sep 19 2023 OpenCloudOS Release Engineering - 2.28.1-5 - Rebuilt for python 3.11 diff --git a/requests-2.28.1-system-certs.patch b/requests-2.28.1-system-certs.patch deleted file mode 100644 index 58bd6b37bf855ca0c4a5cc2fb421b3e5fd49a0d3..0000000000000000000000000000000000000000 --- a/requests-2.28.1-system-certs.patch +++ /dev/null @@ -1,37 +0,0 @@ ---- requests-2.28.1/requests/certs.py 2022-07-12 13:55:25.378079641 -0700 -+++ requests-2.28.1/requests/certs.py.new 2022-07-12 13:57:03.834621295 -0700 -@@ -9,8 +9,13 @@ - If you are packaging Requests, e.g., for a Linux distribution or a managed - environment, you can change the definition of where() to return a separately - packaged CA bundle. -+ -+This Fedora-patched package returns "/etc/pki/tls/certs/ca-bundle.crt" provided -+by the ca-certificates RPM package. - """ --from certifi import where -+def where(): -+ """Return the absolute path to the system CA bundle.""" -+ return '/etc/pki/tls/certs/ca-bundle.crt' - - if __name__ == "__main__": - print(where()) ---- requests-2.28.1/setup.py 2022-06-29 08:09:11.000000000 -0700 -+++ requests-2.28.1/setup.py.new 2022-07-12 13:58:33.830116402 -0700 -@@ -62,7 +62,6 @@ - "charset_normalizer>=2,<3", - "idna>=2.5,<4", - "urllib3>=1.21.1,<1.27", -- "certifi>=2017.4.17", - ] - test_requirements = [ - "pytest-httpbin==0.0.7", ---- requests-2.28.1/setup.cfg 2022-06-29 08:09:11.000000000 -0700 -+++ requests-2.28.1/setup.cfg.new 2022-07-12 13:58:19.619038220 -0700 -@@ -4,7 +4,6 @@ - socks - use_chardet_on_py3 - requires-dist = -- certifi>=2017.4.17 - charset_normalizer>=2,<3 - idna>=2.5,<4 - urllib3>=1.21.1,<1.27 diff --git a/requests-2.28.1-tests_nonet.patch b/requests-2.28.1-tests_nonet.patch deleted file mode 100644 index 32e96ee8e40ace8435cfe4b8117edbe5137747b7..0000000000000000000000000000000000000000 --- a/requests-2.28.1-tests_nonet.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- requests-2.28.1/tests/testserver/server.py 2022-06-29 08:09:11.000000000 -0700 -+++ requests-2.28.1/tests/testserver/server.py.new 2022-07-12 14:04:30.218077055 -0700 -@@ -29,7 +29,7 @@ - def __init__( - self, - handler=None, -- host="localhost", -+ host="127.0.0.1", - port=0, - requests_to_handle=1, - wait_to_close_event=None, diff --git a/sources b/sources index 6918890510ab2cdd33150f6f9e6609772cab43d0..9f2da1eacf6ffc1320adb2943c8d1064aee545e3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (requests-v2.28.1.tar.gz) = caed2d08340c79af9448eefaa1df796f9112a7c8da30b218d5f342326a9629d95928c0978b9600e4bd7f56a297ef41afb088af390738be431b91b8c7429e741b +SHA512 (requests-v2.28.2.tar.gz) = 88c5a92ea51cd18e7edd49a6259d7b56bc0c17f86067f796b5f668ed35202b8bc1395e4811ee2089350e08893dcd304c9801dbf087abfaff1d14859e31bce8ac