From 510ef10a509d515e1869fd027118eb75a97df143 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Sat, 7 Oct 2023 11:00:34 +0800 Subject: [PATCH] fix CVE-2023-43804 --- ...dd-the-Cookie-to-the-list-of-headers.patch | 62 +++++++++++++++++++ python-urllib3.spec | 10 ++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch diff --git a/backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch b/backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch new file mode 100644 index 0000000..a6526d9 --- /dev/null +++ b/backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch @@ -0,0 +1,62 @@ +From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Tue, 3 Oct 2023 12:43:45 AM GMT+0800 +Subject: [PATCH] backport CVE-2023-43804 add the Cookie to the list of headers + +Conflict:NA +Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb + +--- + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 ++-- + test/test_retry_deprecated.py | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 2490d5e..60ef6c4 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,7 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index e7c94e4..6475f2a 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -296,12 +296,12 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) + +- assert list(retry.remove_headers_on_redirect) == ["x-api-secret"] ++ assert retry.remove_headers_on_redirect == {"x-api-secret"} + + @pytest.mark.parametrize("value", ["-1", "+1", "1.0", six.u("\xb2")]) # \xb2 = ^2 + def test_parse_retry_after_invalid(self, value): +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index 49c73b9..b98fc23 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -298,7 +298,7 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.23.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 1349aae..589707c 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,13 +3,15 @@ Name: python-%{srcname} Version: 1.26.16 -Release: 2 +Release: 3 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.tar.gz Source1: ssl_match_hostname_py3.py +Patch6000: backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch + Patch0001: remove_mock.patch BuildArch: noarch @@ -76,6 +78,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Sat Oct 07 2023 chengyechun - 1.26.16-3 +- Type:CVE +- CVE:CVE-2023-43804 +- SUG:NA +- DESC:Add the Cookie to the list of headers + * Tue Aug 01 2023 chengyechun - 1.26.16-2 - Type:bugfix - CVE:NA -- Gitee