From 0837de4ffc1de9999968794d6b531a171ae2be5c Mon Sep 17 00:00:00 2001 From: qiaojijun Date: Tue, 18 Jun 2024 14:13:44 +0800 Subject: [PATCH] fix CVE-2024-37891 from https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 --- backport-CVE-2024-37891.patch | 179 ++++++++++++++++++++++++++++++++++ python-urllib3.spec | 9 +- 2 files changed, 187 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-37891.patch diff --git a/backport-CVE-2024-37891.patch b/backport-CVE-2024-37891.patch new file mode 100644 index 0000000..fdbb15d --- /dev/null +++ b/backport-CVE-2024-37891.patch @@ -0,0 +1,179 @@ +From 9d5e1afc8dbb5829efe6c9f70037d0503d19541c Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* [1.26] Strip Proxy-Authorization header on redirects + +from: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 +conflicts: + CHANGES.rst + src/urllib3/util/retry.py + test/test_retry.py + test/test_retry_deprecated.py + test/with_dummyserver/test_poolmanager.py + +Signed-off-by: qiaojijun +--- + src/urllib3/util/retry.py | 4 ++- + test/test_retry.py | 6 +++- + test/test_retry_deprecated.py | 6 +++- + test/with_dummyserver/test_poolmanager.py | 34 +++++++++++++++++++---- + 4 files changed, 42 insertions(+), 8 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 3398323..4a6eb0d 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 21ba1e9..9169e36 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -293,7 +293,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index f55c5d8..e3b69e7 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -295,7 +295,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index fa07a37..c8a0d7e 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -141,7 +141,11 @@ class TestPoolManager(HTTPDummyServerTestCase): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"Authorization": "foo"}, ++ headers={ ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + ) + + assert r.status == 200 +@@ -149,12 +153,18 @@ class TestPoolManager(HTTPDummyServerTestCase): + data = json.loads(r.data.decode("utf-8")) + + assert "Authorization" not in data ++ assert "Proxy-Authorization" not in data ++ assert "Cookie" not in data + + r = http.request( + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"authorization": "foo"}, ++ headers={ ++ "authorization": "foo", ++ "proxy-authorization": "baz", ++ "cookie": "foo=bar", ++ }, + ) + + assert r.status == 200 +@@ -163,6 +173,10 @@ class TestPoolManager(HTTPDummyServerTestCase): + + assert "authorization" not in data + assert "Authorization" not in data ++ assert "proxy-authorization" not in data ++ assert "Proxy-Authorization" not in data ++ assert "cookie" not in data ++ assert "Cookie" not in data + + def test_redirect_cross_host_no_remove_headers(self): + with PoolManager() as http: +@@ -170,7 +184,11 @@ class TestPoolManager(HTTPDummyServerTestCase): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"Authorization": "foo"}, ++ headers={ ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + retries=Retry(remove_headers_on_redirect=[]), + ) + +@@ -179,6 +197,8 @@ class TestPoolManager(HTTPDummyServerTestCase): + data = json.loads(r.data.decode("utf-8")) + + assert data["Authorization"] == "foo" ++ assert data["Proxy-Authorization"] == "bar" ++ assert data["Cookie"] == "foo=bar" + + def test_redirect_cross_host_set_removed_headers(self): + with PoolManager() as http: +@@ -186,7 +206,7 @@ class TestPoolManager(HTTPDummyServerTestCase): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"X-API-Secret": "foo", "Authorization": "bar"}, ++ headers={"X-API-Secret": "foo", "Authorization": "bar","Proxy-Authorization": "baz","Cookie": "foo=bar"}, + retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), + ) + +@@ -196,12 +216,14 @@ class TestPoolManager(HTTPDummyServerTestCase): + + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Proxy-Authorization"] == "baz" ++ assert data["Cookie"] == "foo=bar" + + r = http.request( + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"x-api-secret": "foo", "authorization": "bar"}, ++ headers={"x-api-secret": "foo", "authorization": "bar","proxy-authorization": "baz","cookie": "foo=bar"}, + retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), + ) + +@@ -212,6 +234,8 @@ class TestPoolManager(HTTPDummyServerTestCase): + assert "x-api-secret" not in data + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Proxy-Authorization"] == "baz" ++ assert data["Cookie"] == "foo=bar" + + def test_redirect_without_preload_releases_connection(self): + with PoolManager(block=True, maxsize=2) as http: +-- +2.20.1 + diff --git a/python-urllib3.spec b/python-urllib3.spec index b9c3a6e..ddc4ea1 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.12 -Release: 6 +Release: 7 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -19,6 +19,7 @@ Patch6004: backport-Remove-Exclamation-mark-character-from-the-unreserved-c Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch Patch6006: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch Patch6007: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch +Patch6008: backport-CVE-2024-37891.patch BuildArch: noarch @@ -84,6 +85,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Jun 18 2024 qiaojijun - 1.26.12-7 +- Type:CVE +- CVE:CVE-2024-37891 +- SUG:NA +- DESC: fix CVE-2024-37891 + * Fri Nov 03 2023 chengyechun - 1.26.12-6 - Type:CVE - CVE:CVE-2023-45803 -- Gitee