From 8a5e1e1db6d48fec0ccefaa64423266ed07bfc30 Mon Sep 17 00:00:00 2001
From: linker <fandehui9@foxmail.com>
Date: Fri, 16 Apr 2021 11:44:02 +0800
Subject: [PATCH] fix CVE-2020-26137

---
 backport-CVE-2020-26137.patch | 49 +++++++++++++++++++++++++++++++++++
 python-urllib3.spec           |  9 ++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2020-26137.patch

diff --git a/backport-CVE-2020-26137.patch b/backport-CVE-2020-26137.patch
new file mode 100644
index 0000000..1d6ff00
--- /dev/null
+++ b/backport-CVE-2020-26137.patch
@@ -0,0 +1,49 @@
+From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Mon, 17 Feb 2020 15:34:48 -0600
+Subject: [PATCH] Raise ValueError if method contains control characters
+ (#1800)
+
+---
+ src/urllib3/connection.py                    | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+)
+
+diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
+index 5384094..2c64fab 100644
+--- a/src/urllib3/connection.py
++++ b/src/urllib3/connection.py
+@@ -1,4 +1,5 @@
+ from __future__ import absolute_import
++import re
+ import datetime
+ import logging
+ import os
+@@ -61,6 +62,8 @@ port_by_scheme = {
+ # (ie test_recent_date is failing) update it to ~6 months before the current date.
+ RECENT_DATE = datetime.date(2019, 9, 1)
+
++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
++
+ class DummyConnection(object):
+     """Used to detect a failed ConnectionCls import."""
+     pass
+@@ -180,6 +183,17 @@ class HTTPConnection(_HTTPConnection, object):
+         conn = self._new_conn()
+         self._prepare_conn(conn)
+
++    def putrequest(self, method, url, *args, **kwargs):
++        """Send a request to the server"""
++        match = _CONTAINS_CONTROL_CHAR_RE.search(method)
++        if match:
++            raise ValueError(
++                "Method cannot contain non-token characters %r (found at least %r)"
++                % (method, match.group())
++            )
++
++        return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
++
+     def request_chunked(self, method, url, body=None, headers=None):
+         """
+         Alternative to the common request method, which sends the
+--
+2.23.0
diff --git a/python-urllib3.spec b/python-urllib3.spec
index bc86565..d763364 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -3,7 +3,7 @@
 
 Name:           python-%{srcname}
 Version:        1.24.3
-Release:        2
+Release:        3
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@@ -12,6 +12,7 @@ Source1:        ssl_match_hostname_py3.py
 #modify pytest to tool:pytest, from Ratan Kulshreshtha <ratan.shreshtha@gmail.com>
 Patch0:         modify-pytest-tool.patch
 Patch6000:      0001-Connection-Update-RECENT_DATE-to-2019-9-1.patch
+Patch6001:      backport-CVE-2020-26137.patch
 
 BuildArch:      noarch
 
@@ -110,6 +111,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 
 %changelog
+* Fri Apr 16 2021 wangye <wangye70@huawei.com> - 1.24.3-3
+- Type:cve
+- ID:CVE-2020-26137
+- SUG:NA
+- DESC: fix CVE-2020-26137
+
 * Sat Oct 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.24.3-2
 - optimize spec file.
 
-- 
Gitee