From fe1f2eb9c4e04a865952d54c9f38403d6ff52303 Mon Sep 17 00:00:00 2001 From: qiaojijun Date: Tue, 18 Jun 2024 09:57:18 +0800 Subject: [PATCH] fix CVE-2024-37891 from https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 --- CVE-2024-37891.patch | 183 +++++++++++++++++++++++++++++++++++++++++++ python-urllib3.spec | 10 ++- 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-37891.patch diff --git a/CVE-2024-37891.patch b/CVE-2024-37891.patch new file mode 100644 index 0000000..ceeccb6 --- /dev/null +++ b/CVE-2024-37891.patch @@ -0,0 +1,183 @@ +From 40b6d1605814dd1db0a46e202d6e56f2e4c9a468 Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* [1.26] Strip Proxy-Authorization header on redirects + +* Set release date +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 +++++- + test/test_retry_deprecated.py | 6 +++++- + test/with_dummyserver/test_poolmanager.py | 26 ++++++++++++++++++++--- + 5 files changed, 41 insertions(+), 6 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index 3a0a4f0a..22af7e3d 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,6 +1,11 @@ + Changes + ======= + ++1.26.19 (2024-06-17) ++================== ++ ++- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. ++ + 1.26.18 (2023-10-17) + -------------------- + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 60ef6c4f..9a1e90d0 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 95a33e74..36477145 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -293,7 +293,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index 5133a51a..e3b69e77 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -295,7 +295,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index 509daf29..02e3de5e 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -142,7 +142,11 @@ class TestPoolManager(HTTPDummyServerTestCase): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"Authorization": "foo", "Cookie": "foo=bar"}, ++ headers={ ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + ) + + assert r.status == 200 +@@ -150,13 +154,18 @@ class TestPoolManager(HTTPDummyServerTestCase): + data = json.loads(r.data.decode("utf-8")) + + assert "Authorization" not in data ++ assert "Proxy-Authorization" not in data + assert "Cookie" not in data + + r = http.request( + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"authorization": "foo", "cookie": "foo=bar"}, ++ headers={ ++ "authorization": "foo", ++ "proxy-authorization": "baz", ++ "cookie": "foo=bar", ++ }, + ) + + assert r.status == 200 +@@ -165,6 +174,8 @@ class TestPoolManager(HTTPDummyServerTestCase): + + assert "authorization" not in data + assert "Authorization" not in data ++ assert "proxy-authorization" not in data ++ assert "Proxy-Authorization" not in data + assert "cookie" not in data + assert "Cookie" not in data + +@@ -174,7 +185,11 @@ class TestPoolManager(HTTPDummyServerTestCase): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"Authorization": "foo", "Cookie": "foo=bar"}, ++ headers={ ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + retries=Retry(remove_headers_on_redirect=[]), + ) + +@@ -183,6 +198,7 @@ class TestPoolManager(HTTPDummyServerTestCase): + data = json.loads(r.data.decode("utf-8")) + + assert data["Authorization"] == "foo" ++ assert data["Proxy-Authorization"] == "bar" + assert data["Cookie"] == "foo=bar" + + def test_redirect_cross_host_set_removed_headers(self): +@@ -194,6 +210,7 @@ class TestPoolManager(HTTPDummyServerTestCase): + headers={ + "X-API-Secret": "foo", + "Authorization": "bar", ++ "Proxy-Authorization": "baz", + "Cookie": "foo=bar", + }, + retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), +@@ -205,6 +222,7 @@ class TestPoolManager(HTTPDummyServerTestCase): + + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Proxy-Authorization"] == "baz" + assert data["Cookie"] == "foo=bar" + + r = http.request( +@@ -213,6 +231,7 @@ class TestPoolManager(HTTPDummyServerTestCase): + fields={"target": "%s/headers" % self.base_url_alt}, + headers={ + "x-api-secret": "foo", ++ "proxy-authorization": "baz", + "authorization": "bar", + "cookie": "foo=bar", + }, +@@ -226,6 +245,7 @@ class TestPoolManager(HTTPDummyServerTestCase): + assert "x-api-secret" not in data + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Proxy-Authorization"] == "baz" + assert data["Cookie"] == "foo=bar" + + def test_redirect_without_preload_releases_connection(self): +-- +2.20.1 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 48222ee..203e6cd 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.18 -Release: 1 +Release: 2 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -12,6 +12,8 @@ Source1: ssl_match_hostname_py3.py Patch0001: remove_mock.patch +Patch3000: CVE-2024-37891.patch + BuildArch: noarch %description @@ -76,6 +78,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Jun 18 2024 qiaojijun - 1.26.18-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: fix CVE-2024-37891 + * Tue Feb 06 2024 chengyechun - 1.26.18-1 - Type:enhancement - ID:NA -- Gitee