diff --git a/1.26.17.tar.gz b/1.26.17.tar.gz deleted file mode 100644 index 710800cc4cfd364eb131f90d300282bf9d4601f2..0000000000000000000000000000000000000000 Binary files a/1.26.17.tar.gz and /dev/null differ diff --git a/1.26.18.tar.gz b/1.26.18.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..61208b3126ab5c336c508da53aef0b3f3bafe5fb Binary files /dev/null and b/1.26.18.tar.gz differ diff --git a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch deleted file mode 100644 index d713513a454a9a487391aca8c2dac3bd99de06ed..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch +++ /dev/null @@ -1,126 +0,0 @@ -From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001 -From: Illia Volochii -Date: Tue, 17 Oct 2023 19:35:39 +0300 -Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4 - -Conflict:test/with_dummyserver/test_poolmanager.py and -test_connectionpool.py has not been modified because it has been deleted -in the pre-phase of the spec file -Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 - ---- - dummyserver/handlers.py | 7 +++++++ - src/urllib3/_collections.py | 19 +++++++++++++++++++ - src/urllib3/connectionpool.py | 5 +++++ - src/urllib3/poolmanager.py | 7 +++++-- - 4 files changed, 36 insertions(+), 2 deletions(-) - -diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py -index c90c2fc..acd181d 100644 ---- a/dummyserver/handlers.py -+++ b/dummyserver/handlers.py -@@ -186,6 +186,8 @@ class TestingApp(RequestHandler): - status = request.params.get("status", "303 See Other") - if len(status) == 3: - status = "%s Redirect" % status.decode("latin-1") -+ elif isinstance(status, bytes): -+ status = status.decode("latin-1") - - headers = [("Location", target)] - return Response(status=status, headers=headers) -@@ -264,6 +266,11 @@ class TestingApp(RequestHandler): - def headers(self, request): - return Response(json.dumps(dict(request.headers))) - -+ def headers_and_params(self, request): -+ return Response( -+ json.dumps({"headers": dict(request.headers), "params": request.params}) -+ ) -+ - def successful_retry(self, request): - """Handler which will return an error and then success - -diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py -index da9857e..3672e30 100644 ---- a/src/urllib3/_collections.py -+++ b/src/urllib3/_collections.py -@@ -268,6 +268,25 @@ class HTTPHeaderDict(MutableMapping): - else: - return vals[1:] - -+ def _prepare_for_method_change(self): -+ """ -+ Remove content-specific header fields before changing the request -+ method to GET or HEAD according to RFC 9110, Section 15.4. -+ """ -+ -+ content_specific_headers = [ -+ "Content-Encoding", -+ "Content-Language", -+ "Content-Location", -+ "Content-Type", -+ "Content-Length", -+ "Digest", -+ "Last-Modified", -+ ] -+ for header in content_specific_headers: -+ self.discard(header) -+ return self -+ - # Backwards compatibility for httplib - getheaders = getlist - getallmatchingheaders = getlist -diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py -index 96844d9..1fe9502 100644 ---- a/src/urllib3/connectionpool.py -+++ b/src/urllib3/connectionpool.py -@@ -9,6 +9,7 @@ import warnings - from socket import error as SocketError - from socket import timeout as SocketTimeout - -+from ._collections import HTTPHeaderDict - from .connection import ( - BaseSSLError, - BrokenPipeError, -@@ -843,7 +844,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): - redirect_location = redirect and response.get_redirect_location() - if redirect_location: - if response.status == 303: -+ # Change the method according to RFC 9110, Section 15.4.4. - method = "GET" -+ # And lose the body not to transfer anything sensitive -+ body = None -+ headers = HTTPHeaderDict(headers)._prepare_for_method_change() - - try: - retries = retries.increment(method, url, response=response, _pool=self) -diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py -index 14b10da..d69955a 100644 ---- a/src/urllib3/poolmanager.py -+++ b/src/urllib3/poolmanager.py -@@ -4,7 +4,7 @@ import collections - import functools - import logging - --from ._collections import RecentlyUsedContainer -+from ._collections import HTTPHeaderDict, RecentlyUsedContainer - from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme - from .exceptions import ( - LocationValueError, -@@ -382,9 +382,12 @@ class PoolManager(RequestMethods): - # Support relative URLs for redirecting. - redirect_location = urljoin(url, redirect_location) - -- # RFC 7231, Section 6.4.4 - if response.status == 303: -+ # Change the method according ro RFC 9110, Section 15.4.4. - method = "GET" -+ # And lose the body not to transfer anything sensitive. -+ kw["body"] = None -+ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() - - retries = kw.get("retries") - if not isinstance(retries, Retry): --- -2.23.0 - diff --git a/python-urllib3.spec b/python-urllib3.spec index cfe8207b0dee1616bc8eec10f42c1e2dcabf4e4e..48222ee0218be46b26b7ea4812738b5d6196a1af 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -2,16 +2,14 @@ %bcond_without tests Name: python-%{srcname} -Version: 1.26.17 -Release: 2 +Version: 1.26.18 +Release: 1 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.tar.gz Source1: ssl_match_hostname_py3.py -Patch6001: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch - Patch0001: remove_mock.patch BuildArch: noarch @@ -78,6 +76,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Feb 06 2024 chengyechun - 1.26.18-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:update python-urllib3 to version 1.26.18 + * Tue Oct 31 2023 chengyechun - 1.26.17-2 - Type:CVE - ID:CVE-2023-45803