From 82c65a25eeefb638e7dfcf74886b8a230b038898 Mon Sep 17 00:00:00 2001 From: bbrucezhang Date: Fri, 24 May 2024 10:42:12 +0800 Subject: [PATCH 1/3] Fixed CVE-2024-35195 --- CVE-2024-35195.patch | 144 +++++++++++++++++++++++++++++++++++++++++++ python-requests.spec | 8 ++- 2 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 CVE-2024-35195.patch diff --git a/CVE-2024-35195.patch b/CVE-2024-35195.patch new file mode 100644 index 0000000..579f36b --- /dev/null +++ b/CVE-2024-35195.patch @@ -0,0 +1,144 @@ +From c0813a2d910ea6b4f8438b91d315b8d181302356 Mon Sep 17 00:00:00 2001 +From: Ian Stapleton Cordasco +Date: Sun, 3 Mar 2024 07:00:49 -0600 +Subject: [PATCH] Use TLS settings in selecting connection pool + +Previously, if someone made a request with `verify=False` then made a +request where they expected verification to be enabled to the same host, +they would potentially reuse a connection where TLS had not been +verified. + +This fixes that issue. +--- + src/requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++- + tests/test_requests.py | 7 +++++ + tox.ini | 2 +- + 3 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/src/requests/adapters.py b/src/requests/adapters.py +index fc5606bdcb..6c62766639 100644 +--- a/src/requests/adapters.py ++++ b/src/requests/adapters.py +@@ -8,6 +8,7 @@ + + import os.path + import socket # noqa: F401 ++import typing + + from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError + from urllib3.exceptions import HTTPError as _HTTPError +@@ -61,12 +62,38 @@ def SOCKSProxyManager(*args, **kwargs): + raise InvalidSchema("Missing dependencies for SOCKS support.") + + ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 + DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter: + """The Base Transport Adapter""" + +@@ -327,6 +354,35 @@ def build_response(self, req, resp): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -453,7 +509,7 @@ def send( + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +diff --git a/tests/test_requests.py b/tests/test_requests.py +index 32b5e6700c..d5cc13c79f 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -2828,6 +2828,13 @@ def test_status_code_425(self): + assert r5 == 425 + assert r6 == 425 + ++ def test_different_connection_pool_for_tls_settings(self): ++ s = requests.Session() ++ r1 = s.get("https://invalid.badssl.com", verify=False) ++ assert r1.status_code == 421 ++ with pytest.raises(requests.exceptions.SSLError): ++ s.get("https://invalid.badssl.com") ++ + + def test_json_decode_errors_are_serializable_deserializable(): + json_decode_error = requests.exceptions.JSONDecodeError( +diff --git a/tox.ini b/tox.ini +index d2b529e2b9..c438ef316a 100644 +--- a/tox.ini ++++ b/tox.ini +@@ -7,7 +7,7 @@ extras = + security + socks + commands = +- pytest tests ++ pytest {posargs:tests} + + [testenv:default] + diff --git a/python-requests.spec b/python-requests.spec index 3a37fe2..be4fa19 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -3,12 +3,13 @@ Summary: A simple, yet elegant, HTTP library Name: python-requests Version: 2.28.2 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 URL: https://pypi.io/project/requests Source0: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz Patch0001: https://github.com/psf/requests/commit/74ea7cf7a6.patch#/CVE-2023-32681.patch +Patch0002: https://github.com/psf/requests/commit/a58d7f2ffb.patch#/CVE-2024-35195.patch BuildRequires: python%{python3_pkgversion}-devel pyproject-rpm-macros %if %{with tests} @@ -62,8 +63,11 @@ sed -i 's/ --doctest-modules//' pyproject.toml %doc README.md HISTORY.md %changelog +* Fri May 24 2024 Ze Zhang - 2.28.2-2 +- Fixed CVE-2024-35195 + * Thu Sep 21 2023 Shuo Wang - 2.28.2-1 -- update to 2.28.2 +- Update to 2.28.2 * Tue Sep 19 2023 OpenCloudOS Release Engineering - 2.28.1-5 - Rebuilt for python 3.11 -- Gitee From 7a6dd73624d058b7caa4eb9fe8382d7911f14980 Mon Sep 17 00:00:00 2001 From: bbrucezhang Date: Fri, 24 May 2024 11:02:56 +0800 Subject: [PATCH 2/3] Fixed CVE-2024-35195 --- CVE-2024-35195.patch | 8 ++++---- python-requests.spec | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CVE-2024-35195.patch b/CVE-2024-35195.patch index 579f36b..2da95d4 100644 --- a/CVE-2024-35195.patch +++ b/CVE-2024-35195.patch @@ -10,15 +10,15 @@ verified. This fixes that issue. --- - src/requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++- + requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++- tests/test_requests.py | 7 +++++ tox.ini | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) -diff --git a/src/requests/adapters.py b/src/requests/adapters.py +diff --git a/requests/adapters.py b/requests/adapters.py index fc5606bdcb..6c62766639 100644 ---- a/src/requests/adapters.py -+++ b/src/requests/adapters.py +--- a/requests/adapters.py ++++ b/requests/adapters.py @@ -8,6 +8,7 @@ import os.path diff --git a/python-requests.spec b/python-requests.spec index be4fa19..da03943 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -64,7 +64,8 @@ sed -i 's/ --doctest-modules//' pyproject.toml %changelog * Fri May 24 2024 Ze Zhang - 2.28.2-2 -- Fixed CVE-2024-35195 +- [Type] bugfix +- [DESC] Fixed CVE-2024-35195 * Thu Sep 21 2023 Shuo Wang - 2.28.2-1 - Update to 2.28.2 -- Gitee From afa322d26089d8ffed9a82ab9ba334a2fa06825c Mon Sep 17 00:00:00 2001 From: bbrucezhang Date: Fri, 24 May 2024 11:29:56 +0800 Subject: [PATCH 3/3] Fixed CVE-2024-35195 --- CVE-2024-35195.patch | 46 +++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/CVE-2024-35195.patch b/CVE-2024-35195.patch index 2da95d4..48b453d 100644 --- a/CVE-2024-35195.patch +++ b/CVE-2024-35195.patch @@ -1,25 +1,19 @@ -From c0813a2d910ea6b4f8438b91d315b8d181302356 Mon Sep 17 00:00:00 2001 +From 134fc4d05ee78b3a32c5e0fec469af194fefd96a Mon Sep 17 00:00:00 2001 From: Ian Stapleton Cordasco -Date: Sun, 3 Mar 2024 07:00:49 -0600 +Date: Fri, 24 May 2024 11:22:34 +0800 Subject: [PATCH] Use TLS settings in selecting connection pool -Previously, if someone made a request with `verify=False` then made a -request where they expected verification to be enabled to the same host, -they would potentially reuse a connection where TLS had not been -verified. - -This fixes that issue. --- - requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++- - tests/test_requests.py | 7 +++++ - tox.ini | 2 +- + requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++- + tests/test_requests.py | 7 +++++ + tox.ini | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/requests/adapters.py b/requests/adapters.py -index fc5606bdcb..6c62766639 100644 +index d3b2d5b..0e5cf7c 100644 --- a/requests/adapters.py +++ b/requests/adapters.py -@@ -8,6 +8,7 @@ +@@ -8,6 +8,7 @@ and maintain connections. import os.path import socket # noqa: F401 @@ -27,7 +21,7 @@ index fc5606bdcb..6c62766639 100644 from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError from urllib3.exceptions import HTTPError as _HTTPError -@@ -61,12 +62,38 @@ def SOCKSProxyManager(*args, **kwargs): +@@ -62,12 +63,38 @@ except ImportError: raise InvalidSchema("Missing dependencies for SOCKS support.") @@ -66,7 +60,7 @@ index fc5606bdcb..6c62766639 100644 class BaseAdapter: """The Base Transport Adapter""" -@@ -327,6 +354,35 @@ def build_response(self, req, resp): +@@ -330,6 +357,35 @@ class HTTPAdapter(BaseAdapter): return response @@ -102,7 +96,7 @@ index fc5606bdcb..6c62766639 100644 def get_connection(self, url, proxies=None): """Returns a urllib3 connection for the given URL. This should not be called from user code, and is only exposed for use when subclassing the -@@ -453,7 +509,7 @@ def send( +@@ -453,7 +509,7 @@ class HTTPAdapter(BaseAdapter): """ try: @@ -112,25 +106,22 @@ index fc5606bdcb..6c62766639 100644 raise InvalidURL(e, request=request) diff --git a/tests/test_requests.py b/tests/test_requests.py -index 32b5e6700c..d5cc13c79f 100644 +index e58d45e..9a4ff12 100644 --- a/tests/test_requests.py +++ b/tests/test_requests.py -@@ -2828,6 +2828,13 @@ def test_status_code_425(self): - assert r5 == 425 - assert r6 == 425 - +@@ -2778,3 +2778,10 @@ class TestPreparingURLs: + with pytest.raises(requests.exceptions.JSONDecodeError) as excinfo: + r.json() + assert excinfo.value.doc == r.text ++ + def test_different_connection_pool_for_tls_settings(self): + s = requests.Session() + r1 = s.get("https://invalid.badssl.com", verify=False) + assert r1.status_code == 421 + with pytest.raises(requests.exceptions.SSLError): + s.get("https://invalid.badssl.com") -+ - - def test_json_decode_errors_are_serializable_deserializable(): - json_decode_error = requests.exceptions.JSONDecodeError( diff --git a/tox.ini b/tox.ini -index d2b529e2b9..c438ef316a 100644 +index 546c737..e418aa4 100644 --- a/tox.ini +++ b/tox.ini @@ -7,7 +7,7 @@ extras = @@ -142,3 +133,6 @@ index d2b529e2b9..c438ef316a 100644 [testenv:default] +-- +2.41.0 + -- Gitee