diff --git a/backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch b/backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3df1affd32cf0c9f23faf8ed84d21e979c34511 --- /dev/null +++ b/backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch @@ -0,0 +1,136 @@ +From d49704d6b02adb835a4c1193a09f89ff298963e5 Mon Sep 17 00:00:00 2001 +From: Ian Stapleton Cordasco +Date: Sun, 3 Mar 2024 07:00:49 -0600 +Subject: [PATCH] Use TLS settings in selecting connection pool + +Previously, if someone made a request with `verify=False` then made a +request where they expected verification to be enabled to the same host, +they would potentially reuse a connection where TLS had not been +verified. + +This fixes that issue. + +Signed-off-by: qiaojijun +--- + requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++- + tests/test_requests.py | 7 +++++ + 2 files changed, 64 insertions(+), 1 deletion(-) + +diff --git a/requests/adapters.py b/requests/adapters.py +index 78e3bb6..3765568 100644 +--- a/requests/adapters.py ++++ b/requests/adapters.py +@@ -8,6 +8,7 @@ and maintain connections. + + import os.path + import socket # noqa: F401 ++import typing + + from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError + from urllib3.exceptions import HTTPError as _HTTPError +@@ -60,6 +61,10 @@ except ImportError: + def SOCKSProxyManager(*args, **kwargs): + raise InvalidSchema("Missing dependencies for SOCKS support.") + ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 +@@ -67,6 +72,28 @@ DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter: + """The Base Transport Adapter""" + +@@ -328,6 +355,35 @@ class HTTPAdapter(BaseAdapter): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -451,7 +507,7 @@ class HTTPAdapter(BaseAdapter): + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +diff --git a/tests/test_requests.py b/tests/test_requests.py +index b420c44..ef724fb 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -2795,6 +2795,13 @@ class TestPreparingURLs: + with pytest.raises(requests.exceptions.InvalidJSONError): + requests.post(httpbin("post"), json=data) + ++ def test_different_connection_pool_for_tls_settings(self): ++ s = requests.Session() ++ r1 = s.get("https://invalid.badssl.com", verify=False) ++ assert r1.status_code == 421 ++ with pytest.raises(requests.exceptions.SSLError): ++ s.get("https://invalid.badssl.com") ++ + def test_json_decode_compatibility(self, httpbin): + r = requests.get(httpbin("bytes/20")) + with pytest.raises(requests.exceptions.JSONDecodeError) as excinfo: +-- +2.20.1 + diff --git a/python-requests.spec b/python-requests.spec index 251c455ed2546d7c8f6026ad7e7da2fe52d757f1..004dce4ccd83bd9b08494df2bbad3141178453b0 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -2,12 +2,14 @@ Name: python-requests Version: 2.31.0 -Release: 1 +Release: 2 Summary: Python HTTP Library License: ASL 2.0 URL: http://python-requests.org/ Source0: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz Patch6001: backport-requests-2.31.0-system-certs.patch +Patch6002: backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch + BuildArch: noarch %description @@ -92,6 +94,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v %doc HISTORY.md README.md %changelog +* Tue May 21 2024 qiaojijun - 2.31.0-2 +- fix CVE-2024-35195 + * Thu Jul 13 2023 zhangchenglin - 2.31.0-1 - Update package to version 2.31.0