diff --git a/1.26.12.tar.gz b/1.26.12.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..12bc80a15ab952c1fa0540bb03a0a1e09fd993f1 Binary files /dev/null and b/1.26.12.tar.gz differ diff --git a/1.26.7.tar.gz b/1.26.7.tar.gz deleted file mode 100644 index 123f26b8f9079fcaab44d2ca8804ada33ea1b001..0000000000000000000000000000000000000000 Binary files a/1.26.7.tar.gz and /dev/null differ diff --git a/Bump-RECENT_DATE.patch b/Bump-RECENT_DATE.patch deleted file mode 100644 index f7af7f82d18a2ebd20d419098a2a43e7bfa3dcc2..0000000000000000000000000000000000000000 --- a/Bump-RECENT_DATE.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2d98f6b53c38ab8e224cb825d6323b8eb54c887f Mon Sep 17 00:00:00 2001 -From: Quentin Pradet -Date: Fri, 1 Jul 2022 14:43:18 +0400 -Subject: [PATCH] Bump RECENT_DATE - ---- - /src/urllib3/connection.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py -index 60f70f7..f4991e5 100644 ---- a/src/urllib3/connection.py -+++ b/src/urllib3/connection.py -@@ -68,7 +68,7 @@ port_by_scheme = {"http": 80, "https": 443} - - # When it comes time to update this value as a part of regular maintenance - # (ie test_recent_date is failing) update it to ~6 months before the current date. --RECENT_DATE = datetime.date(2020, 7, 1) -+RECENT_DATE = datetime.date(2022, 1, 1) - - _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") - --- -2.27.0 - diff --git a/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch new file mode 100644 index 0000000000000000000000000000000000000000..c064f7c3945b1714379eb7b44f27afce7900b7a3 --- /dev/null +++ b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch @@ -0,0 +1,157 @@ +From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Mon, 2 Oct 2023 11:43:46 -0500 +Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139) + +Co-authored-by: Quentin Pradet +Co-authored-by: Illia Volochii + +Conflict:NA +Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb + +--- + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 ++-- + test/test_retry_deprecated.py | 2 +- + test/with_dummyserver/test_poolmanager.py | 24 ++++++++++++++++++----- + 4 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 2490d5e5b6..60ef6c4f3f 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,7 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 21ba1e92e1..95a33e7461 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -293,12 +293,12 @@ def test_retry_method_not_in_whitelist(self): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) + +- assert list(retry.remove_headers_on_redirect) == ["x-api-secret"] ++ assert retry.remove_headers_on_redirect == {"x-api-secret"} + + @pytest.mark.parametrize("value", ["-1", "+1", "1.0", six.u("\xb2")]) # \xb2 = ^2 + def test_parse_retry_after_invalid(self, value): +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index f55c5d846b..5133a51afa 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -295,7 +295,7 @@ def test_retry_method_not_in_whitelist(self): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index fa07a372a9..02a38115c5 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -141,7 +141,7 @@ def test_redirect_cross_host_remove_headers(self): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"Authorization": "foo"}, ++ headers={"Authorization": "foo", "Cookie": "foo=bar"}, + ) + + assert r.status == 200 +@@ -149,12 +149,13 @@ def test_redirect_cross_host_remove_headers(self): + data = json.loads(r.data.decode("utf-8")) + + assert "Authorization" not in data ++ assert "Cookie" not in data + + r = http.request( + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"authorization": "foo"}, ++ headers={"authorization": "foo", "cookie": "foo=bar"}, + ) + + assert r.status == 200 +@@ -163,6 +164,8 @@ def test_redirect_cross_host_remove_headers(self): + + assert "authorization" not in data + assert "Authorization" not in data ++ assert "cookie" not in data ++ assert "Cookie" not in data + + def test_redirect_cross_host_no_remove_headers(self): + with PoolManager() as http: +@@ -170,7 +173,7 @@ def test_redirect_cross_host_no_remove_headers(self): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"Authorization": "foo"}, ++ headers={"Authorization": "foo", "Cookie": "foo=bar"}, + retries=Retry(remove_headers_on_redirect=[]), + ) + +@@ -179,6 +182,7 @@ def test_redirect_cross_host_no_remove_headers(self): + data = json.loads(r.data.decode("utf-8")) + + assert data["Authorization"] == "foo" ++ assert data["Cookie"] == "foo=bar" + + def test_redirect_cross_host_set_removed_headers(self): + with PoolManager() as http: +@@ -186,7 +190,11 @@ def test_redirect_cross_host_set_removed_headers(self): + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"X-API-Secret": "foo", "Authorization": "bar"}, ++ headers={ ++ "X-API-Secret": "foo", ++ "Authorization": "bar", ++ "Cookie": "foo=bar", ++ }, + retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), + ) + +@@ -196,12 +204,17 @@ def test_redirect_cross_host_set_removed_headers(self): + + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Cookie"] == "foo=bar" + + r = http.request( + "GET", + "%s/redirect" % self.base_url, + fields={"target": "%s/headers" % self.base_url_alt}, +- headers={"x-api-secret": "foo", "authorization": "bar"}, ++ headers={ ++ "x-api-secret": "foo", ++ "authorization": "bar", ++ "cookie": "foo=bar", ++ }, + retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), + ) + +@@ -212,6 +225,7 @@ def test_redirect_cross_host_set_removed_headers(self): + assert "x-api-secret" not in data + assert "X-API-Secret" not in data + assert data["Authorization"] == "bar" ++ assert data["Cookie"] == "foo=bar" + + def test_redirect_without_preload_releases_connection(self): + with PoolManager(block=True, maxsize=2) as http: diff --git a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch new file mode 100644 index 0000000000000000000000000000000000000000..5075d8ba2ec59a210917a217fe2659bd6907399c --- /dev/null +++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch @@ -0,0 +1,125 @@ +From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Tue, 17 Oct 2023 19:35:39 +0300 +Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4 + +Conflict:test/with_dummyserver/test_poolmanager.py and +test_connectionpool.py has not been modified because it has been deleted +in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 + +--- + dummyserver/handlers.py | 7 +++++++ + src/urllib3/_collections.py | 18 ++++++++++++++++++ + src/urllib3/connectionpool.py | 5 +++++ + src/urllib3/poolmanager.py | 7 +++++-- + 4 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py +index c90c2fc..acd181d 100644 +--- a/dummyserver/handlers.py ++++ b/dummyserver/handlers.py +@@ -186,6 +186,8 @@ class TestingApp(RequestHandler): + status = request.params.get("status", "303 See Other") + if len(status) == 3: + status = "%s Redirect" % status.decode("latin-1") ++ elif isinstance(status, bytes): ++ status = status.decode("latin-1") + + headers = [("Location", target)] + return Response(status=status, headers=headers) +@@ -264,6 +266,11 @@ class TestingApp(RequestHandler): + def headers(self, request): + return Response(json.dumps(dict(request.headers))) + ++ def headers_and_params(self, request): ++ return Response( ++ json.dumps({"headers": dict(request.headers), "params": request.params}) ++ ) ++ + def successful_retry(self, request): + """Handler which will return an error and then success + +diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py +index da9857e..bceb845 100644 +--- a/src/urllib3/_collections.py ++++ b/src/urllib3/_collections.py +@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping): + else: + return vals[1:] + ++ def _prepare_for_method_change(self): ++ """ ++ Remove content-specific header fields before changing the request ++ method to GET or HEAD according to RFC 9110, Section 15.4. ++ """ ++ content_specific_headers = [ ++ "Content-Encoding", ++ "Content-Language", ++ "Content-Location", ++ "Content-Type", ++ "Content-Length", ++ "Digest", ++ "Last-Modified", ++ ] ++ for header in content_specific_headers: ++ self.discard(header) ++ return self ++ + # Backwards compatibility for httplib + getheaders = getlist + getallmatchingheaders = getlist +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index 659a9ca..ebce9ce 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -9,6 +9,7 @@ import warnings + from socket import error as SocketError + from socket import timeout as SocketTimeout + ++from ._collections import HTTPHeaderDict + from .connection import ( + BaseSSLError, + BrokenPipeError, +@@ -832,7 +833,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + redirect_location = redirect and response.get_redirect_location() + if redirect_location: + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ body = None ++ headers = HTTPHeaderDict(headers)._prepare_for_method_change() + + try: + retries = retries.increment(method, url, response=response, _pool=self) +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index ca4ec34..5f4afe1 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -4,7 +4,7 @@ import collections + import functools + import logging + +-from ._collections import RecentlyUsedContainer ++from ._collections import HTTPHeaderDict, RecentlyUsedContainer + from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme + from .exceptions import ( + LocationValueError, +@@ -382,9 +382,12 @@ class PoolManager(RequestMethods): + # Support relative URLs for redirecting. + redirect_location = urljoin(url, redirect_location) + +- # RFC 7231, Section 6.4.4 + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ kw["body"] = None ++ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + + retries = kw.get("retries") + if not isinstance(retries, Retry): +-- +2.23.0 + diff --git a/backport-Fix-_idna_encode-handling-of-x80.patch b/backport-Fix-_idna_encode-handling-of-x80.patch new file mode 100644 index 0000000000000000000000000000000000000000..e40e4522d9529823662f0138c7df5a141653a69b --- /dev/null +++ b/backport-Fix-_idna_encode-handling-of-x80.patch @@ -0,0 +1,29 @@ +From a06c05cd4bba292ee26e3e9116cff902e0440b52 Mon Sep 17 00:00:00 2001 +From: Ben Kallus <49924171+kenballus@users.noreply.github.com> +Date: Wed, 8 Feb 2023 15:19:07 +0000 +Subject: [PATCH] Fix _idna_encode handling of '\x80' + +Co-authored-by: Illia Volochii + +Conflict:1.The content of "@@" is adapted 2.The line number is adapted +Reference:https://github.com/urllib3/urllib3/commit/a06c05cd4bba292ee26e3e9116cff902e0440b52 +--- + src/urllib3/util/url.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 63166e8..8bac93a 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -300,7 +300,7 @@ def _normalize_host(host, scheme): + + + def _idna_encode(name): +- if name and any([ord(x) > 128 for x in name]): ++ if name and any(ord(x) >= 128 for x in name): + try: + import idna + except ImportError: +-- +2.27.0 + \ No newline at end of file diff --git a/backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch b/backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea1fadc057d32b5d15d3fe4173815bcf7c9cedaf --- /dev/null +++ b/backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch @@ -0,0 +1,75 @@ +From a7ce8e0881c94800b14687145ee11940246d2b22 Mon Sep 17 00:00:00 2001 +From: Nick Williams <68963309+nickwilliams-zaxiom@users.noreply.github.com> +Date: Fri, 20 Jan 2023 07:59:33 -0600 +Subject: [PATCH] [1.26] Fix socket timeout value when HTTPConnection is reused + +Co-authored-by: Seth Michael Larson +Co-authored-by: Quentin Pradet + +Conflict:1.The content of "@@" is adapted 2.The line number is adapted 3. no add testcode +Reference:https://github.com/urllib3/urllib3/commit/a7ce8e0881c94800b14687145ee11940246d2b22 +--- + src/urllib3/connection.py | 5 +++++ + src/urllib3/connectionpool.py | 2 +- + src/urllib3/util/timeout.py | 9 ++++++--- + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py +index f48daea..f121511 100644 +--- a/src/urllib3/connection.py ++++ b/src/urllib3/connection.py +@@ -229,6 +229,11 @@ class HTTPConnection(_HTTPConnection, object): + ) + + def request(self, method, url, body=None, headers=None): ++ # Update the inner socket's timeout value to send the request. ++ # This only triggers if the connection is re-used. ++ if getattr(self, "sock", None) is not None: ++ self.sock.settimeout(self.timeout) ++ + if headers is None: + headers = {} + else: +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index 8dccf4b..e528019 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -375,7 +375,7 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + + timeout_obj = self._get_timeout(timeout) + timeout_obj.start_connect() +- conn.timeout = timeout_obj.connect_timeout ++ conn.timeout = Timeout.resolve_default_timeout(timeout_obj.connect_timeout) + + # Trigger any extra validation we need to do. + try: +diff --git a/src/urllib3/util/timeout.py b/src/urllib3/util/timeout.py +index ff69593..78e18a6 100644 +--- a/src/urllib3/util/timeout.py ++++ b/src/urllib3/util/timeout.py +@@ -2,9 +2,8 @@ from __future__ import absolute_import + + import time + +-# The default socket timeout, used by httplib to indicate that no timeout was +-# specified by the user +-from socket import _GLOBAL_DEFAULT_TIMEOUT ++# The default socket timeout, used by httplib to indicate that no timeout was; specified by the user ++from socket import _GLOBAL_DEFAULT_TIMEOUT, getdefaulttimeout + + from ..exceptions import TimeoutStateError + +@@ -116,6 +115,10 @@ class Timeout(object): + # __str__ provided for backwards compatibility + __str__ = __repr__ + ++ @classmethod ++ def resolve_default_timeout(cls, timeout): ++ return getdefaulttimeout() if timeout is cls.DEFAULT_TIMEOUT else timeout ++ + @classmethod + def _validate_timeout(cls, value, name): + """Check that a timeout attribute is valid. +-- +2.27.0 + \ No newline at end of file diff --git a/backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch b/backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch new file mode 100644 index 0000000000000000000000000000000000000000..5bd2301e1f50912a462ef5d1721777d1187cd87b --- /dev/null +++ b/backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch @@ -0,0 +1,27 @@ +From 27370204dbcb2ee555a136948afee276a96ddc87 Mon Sep 17 00:00:00 2001 +From: Ben Kallus <49924171+kenballus@users.noreply.github.com> +Date: Fri, 3 Feb 2023 08:38:04 -0500 +Subject: [PATCH] [1.26] Remove "!" character from the "unreserved" characters + in IPv6 Zone ID parsing + +Conflict:The content of "index" and "@@" are adapted +Reference:https://github.com/urllib3/urllib3/commit/27370204dbcb2ee555a136948afee276a96ddc87 +--- + src/urllib3/util/url.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 63166e8..33dfb45 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -50,7 +50,7 @@ _variations = [ + "(?:(?:%(hex)s:){0,6}%(hex)s)?::", + ] + +-UNRESERVED_PAT = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._!\-~" ++UNRESERVED_PAT = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._\-~" + IPV6_PAT = "(?:" + "|".join([x % _subs for x in _variations]) + ")" + ZONE_ID_PAT = "(?:%25|%)(?:[" + UNRESERVED_PAT + "]|%[a-fA-F0-9]{2})+" + IPV6_ADDRZ_PAT = r"\[" + IPV6_PAT + r"(?:" + ZONE_ID_PAT + r")?\]" +-- +2.27.0 diff --git a/backport-fixed-issue-with-port-0-returning-None.patch b/backport-fixed-issue-with-port-0-returning-None.patch new file mode 100644 index 0000000000000000000000000000000000000000..d96eab9fc4e99f89312779f5f46a9a73f7c4464a --- /dev/null +++ b/backport-fixed-issue-with-port-0-returning-None.patch @@ -0,0 +1,48 @@ +From 25fbd5fb72ae8790cff9512878d302120e387e64 Mon Sep 17 00:00:00 2001 +From: Anil Khatri +Date: Sat, 31 Dec 2022 01:38:50 +0530 +Subject: [PATCH] Fixed issue with port "0" returning None + +Conflict:adapt: +1.The content of "@@" is adapted +2.The line number is adapted +Reference:https://github.com/urllib3/urllib3/pull/2864 + +--- + src/urllib3/util/url.py | 2 +- + test/test_util.py | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 8964cef..63166e8 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,7 +63,7 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*?(|0|[1-9][0-9]{0,4}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, +diff --git a/test/test_util.py b/test/test_util.py +index f6c8b43..7d512f5 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -347,6 +347,13 @@ class TestUtil(object): + url = parse_url("https://example.com:0000000000080") + assert url.port == 80 + ++ def test_parse_url_only_zeros(self): ++ url = parse_url("https://example.com:0") ++ assert url.port == 0 ++ ++ url = parse_url("https://example.com:000000000000") ++ assert url.port == 0 ++ + def test_Url_str(self): + U = Url("http", host="google.com") + assert str(U) == U.url +-- +2.27.0 diff --git a/backport-strip-leading-zeros-form-ports.patch b/backport-strip-leading-zeros-form-ports.patch new file mode 100644 index 0000000000000000000000000000000000000000..1effc913d40c7cb338e1889fde1c4e8be1d0300d --- /dev/null +++ b/backport-strip-leading-zeros-form-ports.patch @@ -0,0 +1,45 @@ +From 955da4d03eaa6785aef40a34f440a67d736a4793 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Tue, 22 Nov 2022 17:59:57 +0000 +Subject: [PATCH] [1.26] Strip leading zeros from ports + +Co-authored-by: Bastian Venthur +Co-authored-by: Hasan Ramezani + +Conflict:NA +Reference:https://github.com/urllib3/urllib3/commit/955da4d03eaa6785aef40a34f440a67d736a4793 +--- + src/urllib3/util/url.py | 2 +- + test/test_util.py | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 81a03da..8964cef 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,7 +63,7 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, +diff --git a/test/test_util.py b/test/test_util.py +index 562c106..f6c8b43 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -343,6 +343,10 @@ class TestUtil(object): + with pytest.raises(LocationParseError): + parse_url("https://www.google.com:-80/") + ++ def test_parse_url_remove_leading_zeros(self): ++ url = parse_url("https://example.com:0000000000080") ++ assert url.port == 80 ++ + def test_Url_str(self): + U = Url("http", host="google.com") + assert str(U) == U.url +-- +2.27.0 diff --git a/python-urllib3.spec b/python-urllib3.spec index 9729bf5835737dbee46df587d0ccf5fa155f7470..61fe87e24757a221ec94e27b658e4656050ee4ab 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -2,17 +2,23 @@ %bcond_without tests Name: python-%{srcname} -Version: 1.26.7 -Release: 2 +Version: 1.26.12 +Release: 6 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io -Source0: https://github.com/urllib3/urllib3/archive/%{version}/%{version}.tar.gz +Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.tar.gz Source1: ssl_match_hostname_py3.py Patch0001: remove_mock.patch Patch6000: backport-CVE-2021-28363.patch -Patch6001: Bump-RECENT_DATE.patch +Patch6001: backport-strip-leading-zeros-form-ports.patch +Patch6002: backport-fixed-issue-with-port-0-returning-None.patch +Patch6003: backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch +Patch6004: backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch +Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch +Patch6006: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch +Patch6007: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch BuildArch: noarch @@ -37,6 +43,10 @@ Python3 HTTP module with connection pooling and file POST abilities. %prep %autosetup -n %{srcname}-%{version} -p1 + +recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") +sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py + #Failure use case circumvention rm -rf test/with_dummyserver/ rm -rf test/appengine/ @@ -62,7 +72,7 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc % %if %{with tests} %check # skip some failing tests -skiplist+="test_retry_deprecated or test_retry" +skiplist+="test_retry_deprecated or test_retry or test_ssl_object_attributes" PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pytest -v -k "not (${skiplist})" %endif @@ -74,6 +84,38 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Fri Nov 03 2023 chengyechun - 1.26.12-6 +- Type:CVE +- CVE:CVE-2023-45803 +- SUG:NA +- DESC:fix CVE-2023-45803 + +* Wed Oct 04 2023 Funda Wang - 1.26.12-5 +- Type:CVE +- CVE:CVE-2023-43804 +- SUG:NA +- DESC:fix CVE-2023-43804 + +* Tue Mar 21 2023 chenhaixing - 1.26.12-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix socket timeout value when HTTPConnect is reused + remove Exclamation mark character from the unreserved characters + fix _idna_encode handling of x80 + +* Fri Feb 10 2023 chenhaixing - 1.26.12-3 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:change _HOST_PORT_PAT to fix port is 0 but return None + +* Sat Dec 17 2022 chenhaixing - 1.26.12-2 +- DESC:fix util.parse_url function traceback when port have leading zeros + +* Sun Sep 04 2022 tianlijing - 1.26.12-1 +- update to 1.26.12 + * Wed Jul 06 2022 chenhaixing - 1.26.7-2 - add patch Bump RECENT_DATE and solve test case test_recent_date failed