From 8773098c293ddccf5512557ebad862971ac0f1e0 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Fri, 3 Nov 2023 10:48:17 +0800 Subject: [PATCH] backport CVE-2023-45803 (cherry picked from commit 3b6a7d6fdaf6014db14918e60e004e69317cfb32) --- ...ed-the-Cookie-to-the-list-of-headers.patch | 4 + ...ade-body-stripped-from-HTTP-requests.patch | 125 ++++++++++++++++++ python-urllib3.spec | 16 ++- 3 files changed, 142 insertions(+), 3 deletions(-) rename CVE-2023-43804.patch => backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch (98%) create mode 100644 backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch diff --git a/CVE-2023-43804.patch b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch similarity index 98% rename from CVE-2023-43804.patch rename to backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch index 3710f1e..c064f7c 100644 --- a/CVE-2023-43804.patch +++ b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch @@ -5,6 +5,10 @@ Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139) Co-authored-by: Quentin Pradet Co-authored-by: Illia Volochii + +Conflict:NA +Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb + --- src/urllib3/util/retry.py | 2 +- test/test_retry.py | 4 ++-- diff --git a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch new file mode 100644 index 0000000..5075d8b --- /dev/null +++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch @@ -0,0 +1,125 @@ +From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Tue, 17 Oct 2023 19:35:39 +0300 +Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4 + +Conflict:test/with_dummyserver/test_poolmanager.py and +test_connectionpool.py has not been modified because it has been deleted +in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 + +--- + dummyserver/handlers.py | 7 +++++++ + src/urllib3/_collections.py | 18 ++++++++++++++++++ + src/urllib3/connectionpool.py | 5 +++++ + src/urllib3/poolmanager.py | 7 +++++-- + 4 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py +index c90c2fc..acd181d 100644 +--- a/dummyserver/handlers.py ++++ b/dummyserver/handlers.py +@@ -186,6 +186,8 @@ class TestingApp(RequestHandler): + status = request.params.get("status", "303 See Other") + if len(status) == 3: + status = "%s Redirect" % status.decode("latin-1") ++ elif isinstance(status, bytes): ++ status = status.decode("latin-1") + + headers = [("Location", target)] + return Response(status=status, headers=headers) +@@ -264,6 +266,11 @@ class TestingApp(RequestHandler): + def headers(self, request): + return Response(json.dumps(dict(request.headers))) + ++ def headers_and_params(self, request): ++ return Response( ++ json.dumps({"headers": dict(request.headers), "params": request.params}) ++ ) ++ + def successful_retry(self, request): + """Handler which will return an error and then success + +diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py +index da9857e..bceb845 100644 +--- a/src/urllib3/_collections.py ++++ b/src/urllib3/_collections.py +@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping): + else: + return vals[1:] + ++ def _prepare_for_method_change(self): ++ """ ++ Remove content-specific header fields before changing the request ++ method to GET or HEAD according to RFC 9110, Section 15.4. ++ """ ++ content_specific_headers = [ ++ "Content-Encoding", ++ "Content-Language", ++ "Content-Location", ++ "Content-Type", ++ "Content-Length", ++ "Digest", ++ "Last-Modified", ++ ] ++ for header in content_specific_headers: ++ self.discard(header) ++ return self ++ + # Backwards compatibility for httplib + getheaders = getlist + getallmatchingheaders = getlist +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index 659a9ca..ebce9ce 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -9,6 +9,7 @@ import warnings + from socket import error as SocketError + from socket import timeout as SocketTimeout + ++from ._collections import HTTPHeaderDict + from .connection import ( + BaseSSLError, + BrokenPipeError, +@@ -832,7 +833,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + redirect_location = redirect and response.get_redirect_location() + if redirect_location: + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ body = None ++ headers = HTTPHeaderDict(headers)._prepare_for_method_change() + + try: + retries = retries.increment(method, url, response=response, _pool=self) +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index ca4ec34..5f4afe1 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -4,7 +4,7 @@ import collections + import functools + import logging + +-from ._collections import RecentlyUsedContainer ++from ._collections import HTTPHeaderDict, RecentlyUsedContainer + from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme + from .exceptions import ( + LocationValueError, +@@ -382,9 +382,12 @@ class PoolManager(RequestMethods): + # Support relative URLs for redirecting. + redirect_location = urljoin(url, redirect_location) + +- # RFC 7231, Section 6.4.4 + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ kw["body"] = None ++ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + + retries = kw.get("retries") + if not isinstance(retries, Retry): +-- +2.23.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 28d115d..b9c3a6e 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.12 -Release: 5 +Release: 6 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -17,7 +17,8 @@ Patch6002: backport-fixed-issue-with-port-0-returning-None.patch Patch6003: backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch Patch6004: backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch -Patch6006: CVE-2023-43804.patch +Patch6006: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch +Patch6007: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch BuildArch: noarch @@ -83,8 +84,17 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Fri Nov 03 2023 chengyechun - 1.26.12-6 +- Type:CVE +- CVE:CVE-2023-45803 +- SUG:NA +- DESC:fix CVE-2023-45803 + * Wed Oct 04 2023 Funda Wang - 1.26.12-5 -- fix CVE-2023-43804 +- Type:CVE +- CVE:CVE-2023-43804 +- SUG:NA +- DESC:fix CVE-2023-43804 * Tue Mar 21 2023 chenhaixing - 1.26.12-4 - Type:bugfix -- Gitee