From 2f89970fecc10f343395ef1202d4914f94c2b8ee Mon Sep 17 00:00:00 2001
From: y00574793 <yangyuan32@huawei.com>
Date: Mon, 17 Jun 2024 15:53:46 +0800
Subject: [PATCH] fix CVE-2023-43804

---
 ...ed-the-Cookie-to-the-list-of-headers.patch | 28 +++++++++++++++++++
 python-pip.spec                               |  6 +++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch

diff --git a/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
new file mode 100644
index 0000000..29b7352
--- /dev/null
+++ b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
@@ -0,0 +1,28 @@
+From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Mon, 2 Oct 2023 11:43:46 -0500
+Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+
+Conflict:NA
+Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index c7dc42f..c7c0427 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
++++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -217,7 +217,7 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
diff --git a/python-pip.spec b/python-pip.spec
index df5b956..4c427c1 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        21.3.1
-Release:        4
+Release:        5
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -22,6 +22,7 @@ Patch6003:      backport-0002-CVE-2024-3651.patch
 Patch6004:      backport-0003-CVE-2024-3651.patch
 Patch6005:      backport-0004-CVE-2024-3651.patch
 Patch6006:      backport-0005-CVE-2024-3651.patch
+Patch6007:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
 
 Source10: 	pip-allow-older-versions.patch
 
@@ -124,6 +125,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Mon Jun 17 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-5
+- fix CVE-2023-43804
+
 * Fri Jun 7 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-4
 - fix CVE-2024-3651
 
-- 
Gitee