diff --git a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd9c8f32cc2921503b3fa168b55af638568f2ab6 --- /dev/null +++ b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch @@ -0,0 +1,72 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date + +Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified +because it has been deleted in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e + +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 +++++- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index 3a0a4f0..eba0814 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,6 +1,11 @@ + Changes + ======= + ++2.2.2 (2024-06-17) ++================== ++ ++- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. ++ + 1.26.18 (2023-10-17) + -------------------- + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 60ef6c4..9a1e90d 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 6475f2a..a0463e4 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -296,7 +296,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.33.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 48222ee0218be46b26b7ea4812738b5d6196a1af..51d96ce184985cfa85e55c4ff34aa85bb853f2d8 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.18 -Release: 1 +Release: 2 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -12,6 +12,8 @@ Source1: ssl_match_hostname_py3.py Patch0001: remove_mock.patch +Patch6000: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch + BuildArch: noarch %description @@ -76,6 +78,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Jun 25 2024 chengyechun - 1.26.18-2 +- Type:CVE +- CVE:CVE-2024-37891 +- SUG:NA +- DESC:fix CVE-2024-37891 Strip Proxy-Authorizatioin header on redirects + * Tue Feb 06 2024 chengyechun - 1.26.18-1 - Type:enhancement - ID:NA