From 2f98e99e87b117c8294fd4589babad3352e49605 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Mon, 1 Jul 2024 01:24:18 +0000 Subject: [PATCH] fix CVE-2024-37891 (cherry picked from commit f94cef58e3319ac235c642aec283ee89ef3605aa) --- ...xy-Authorization-header-on-redirects.patch | 72 +++++++++++++++++++ python-urllib3.spec | 10 ++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch diff --git a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch new file mode 100644 index 0000000..dd9c8f3 --- /dev/null +++ b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch @@ -0,0 +1,72 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date + +Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified +because it has been deleted in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e + +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 +++++- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index 3a0a4f0..eba0814 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,6 +1,11 @@ + Changes + ======= + ++2.2.2 (2024-06-17) ++================== ++ ++- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. ++ + 1.26.18 (2023-10-17) + -------------------- + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 60ef6c4..9a1e90d 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 6475f2a..a0463e4 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -296,7 +296,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.33.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 48222ee..51d96ce 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.18 -Release: 1 +Release: 2 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -12,6 +12,8 @@ Source1: ssl_match_hostname_py3.py Patch0001: remove_mock.patch +Patch6000: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch + BuildArch: noarch %description @@ -76,6 +78,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Jun 25 2024 chengyechun - 1.26.18-2 +- Type:CVE +- CVE:CVE-2024-37891 +- SUG:NA +- DESC:fix CVE-2024-37891 Strip Proxy-Authorizatioin header on redirects + * Tue Feb 06 2024 chengyechun - 1.26.18-1 - Type:enhancement - ID:NA -- Gitee