diff --git a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch new file mode 100644 index 0000000000000000000000000000000000000000..d713513a454a9a487391aca8c2dac3bd99de06ed --- /dev/null +++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch @@ -0,0 +1,126 @@ +From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Tue, 17 Oct 2023 19:35:39 +0300 +Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4 + +Conflict:test/with_dummyserver/test_poolmanager.py and +test_connectionpool.py has not been modified because it has been deleted +in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 + +--- + dummyserver/handlers.py | 7 +++++++ + src/urllib3/_collections.py | 19 +++++++++++++++++++ + src/urllib3/connectionpool.py | 5 +++++ + src/urllib3/poolmanager.py | 7 +++++-- + 4 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py +index c90c2fc..acd181d 100644 +--- a/dummyserver/handlers.py ++++ b/dummyserver/handlers.py +@@ -186,6 +186,8 @@ class TestingApp(RequestHandler): + status = request.params.get("status", "303 See Other") + if len(status) == 3: + status = "%s Redirect" % status.decode("latin-1") ++ elif isinstance(status, bytes): ++ status = status.decode("latin-1") + + headers = [("Location", target)] + return Response(status=status, headers=headers) +@@ -264,6 +266,11 @@ class TestingApp(RequestHandler): + def headers(self, request): + return Response(json.dumps(dict(request.headers))) + ++ def headers_and_params(self, request): ++ return Response( ++ json.dumps({"headers": dict(request.headers), "params": request.params}) ++ ) ++ + def successful_retry(self, request): + """Handler which will return an error and then success + +diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py +index da9857e..3672e30 100644 +--- a/src/urllib3/_collections.py ++++ b/src/urllib3/_collections.py +@@ -268,6 +268,25 @@ class HTTPHeaderDict(MutableMapping): + else: + return vals[1:] + ++ def _prepare_for_method_change(self): ++ """ ++ Remove content-specific header fields before changing the request ++ method to GET or HEAD according to RFC 9110, Section 15.4. ++ """ ++ ++ content_specific_headers = [ ++ "Content-Encoding", ++ "Content-Language", ++ "Content-Location", ++ "Content-Type", ++ "Content-Length", ++ "Digest", ++ "Last-Modified", ++ ] ++ for header in content_specific_headers: ++ self.discard(header) ++ return self ++ + # Backwards compatibility for httplib + getheaders = getlist + getallmatchingheaders = getlist +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index 96844d9..1fe9502 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -9,6 +9,7 @@ import warnings + from socket import error as SocketError + from socket import timeout as SocketTimeout + ++from ._collections import HTTPHeaderDict + from .connection import ( + BaseSSLError, + BrokenPipeError, +@@ -843,7 +844,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + redirect_location = redirect and response.get_redirect_location() + if redirect_location: + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive ++ body = None ++ headers = HTTPHeaderDict(headers)._prepare_for_method_change() + + try: + retries = retries.increment(method, url, response=response, _pool=self) +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index 14b10da..d69955a 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -4,7 +4,7 @@ import collections + import functools + import logging + +-from ._collections import RecentlyUsedContainer ++from ._collections import HTTPHeaderDict, RecentlyUsedContainer + from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme + from .exceptions import ( + LocationValueError, +@@ -382,9 +382,12 @@ class PoolManager(RequestMethods): + # Support relative URLs for redirecting. + redirect_location = urljoin(url, redirect_location) + +- # RFC 7231, Section 6.4.4 + if response.status == 303: ++ # Change the method according ro RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ kw["body"] = None ++ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + + retries = kw.get("retries") + if not isinstance(retries, Retry): +-- +2.23.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 6f1e464867f0b6d9ae5180e319b636e1073337e3..cfe8207b0dee1616bc8eec10f42c1e2dcabf4e4e 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,13 +3,15 @@ Name: python-%{srcname} Version: 1.26.17 -Release: 1 +Release: 2 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.tar.gz Source1: ssl_match_hostname_py3.py +Patch6001: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch + Patch0001: remove_mock.patch BuildArch: noarch @@ -76,6 +78,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Oct 31 2023 chengyechun - 1.26.17-2 +- Type:CVE +- ID:CVE-2023-45803 +- SUG:NA +- DESC:fix CVE-2023-45803 Made body stripped form HTTP requests + * Wed Oct 04 2023 Funda Wang - 1.26.17-1 - Update to version 1.26.17 to fix CVE-2023-43804