packages/python-pip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-45803 and CVE-2024-37891

Browse Source
This commit is contained in:
y00574793 2024-07-13 15:17:08 +08:00
parent d1f5c36976
commit 5df565248a
3 changed files with 135 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch Normal file
View File

@ -0,0 +1,98 @@
From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Tue, 17 Oct 2023 19:35:39 +0300
Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
Conflict:Files dummyserver/handlers.py, test/with_dummyserver/test_connectionpool.py
and test/with_dummyserver/test_poolmanager.py do not exist. Therefore, no dummy server
and test case is involved.
Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
---
src/pip/_vendor/urllib3/_collections.py | 18 ++++++++++++++++++
src/pip/_vendor/urllib3/connectionpool.py | 6 +++++-
src/pip/_vendor/urllib3/poolmanager.py | 7 +++++--
3 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
index 019d151..8b3f0f7 100644
--- a/src/pip/_vendor/urllib3/_collections.py
+++ b/src/pip/_vendor/urllib3/_collections.py
@@ -267,6 +267,24 @@ class HTTPHeaderDict(MutableMapping):
else:
return vals[1:]
+ def _prepare_for_method_change(self):
+ """
+ Remove content-specific header fields before changing the request
+ method to GET or HEAD according to RFC 9110, Section 15.4.
+ """
+ content_specific_headers = [
+ "Content-Encoding",
+ "Content-Language",
+ "Content-Location",
+ "Content-Type",
+ "Content-Length",
+ "Digest",
+ "Last-Modified",
+ ]
+ for header in content_specific_headers:
+ self.discard(header)
+ return self
+
# Backwards compatibility for httplib
getheaders = getlist
getallmatchingheaders = getlist
diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
index 5f044db..539eb04 100644
--- a/src/pip/_vendor/urllib3/connectionpool.py
+++ b/src/pip/_vendor/urllib3/connectionpool.py
@@ -7,7 +7,7 @@ import warnings
from socket import error as SocketError, timeout as SocketTimeout
import socket
-
+from ._collections import HTTPHeaderDict
from .exceptions import (
ClosedPoolError,
ProtocolError,
@@ -769,7 +769,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
redirect_location = redirect and response.get_redirect_location()
if redirect_location:
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ body = None
+ headers = HTTPHeaderDict(headers)._prepare_for_method_change()
try:
retries = retries.increment(method, url, response=response, _pool=self)
diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
index e2bd3bd..c30c5e0 100644
--- a/src/pip/_vendor/urllib3/poolmanager.py
+++ b/src/pip/_vendor/urllib3/poolmanager.py
@@ -4,7 +4,7 @@ import functools
import logging
import warnings
-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool
from .connectionpool import port_by_scheme
from .exceptions import (
@@ -342,9 +342,12 @@ class PoolManager(RequestMethods):
# Support relative URLs for redirecting.
redirect_location = urljoin(url, redirect_location)
- # RFC 7231, Section 6.4.4
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ kw["body"] = None
+ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
retries = kw.get("retries")
if not isinstance(retries, Retry):
--

31
backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch Normal file
View File

@ -0,0 +1,31 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
Conflict:Files test/test_retry.py and test/with_dummyserver/test_poolmanager.py do not
exist. Therefore, no test case is involved.
Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
---
src/pip/_vendor/urllib3/util/retry.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
index 545e876..b4a2d3d 100644
--- a/src/pip/_vendor/urllib3/util/retry.py
+++ b/src/pip/_vendor/urllib3/util/retry.py
@@ -154,7 +154,9 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie","Authorization"])
+ DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Maximum backoff time.
BACKOFF_MAX = 120
--

7
python-pip.spec
View File

@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
Name: python-%{srcname} Name: python-%{srcname}
Version: 20.2.2 Version: 20.2.2
Release: 8 Release: 9
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
URL: http://www.pip-installer.org URL: http://www.pip-installer.org
@ -22,6 +22,8 @@ Patch6002: backport-CVE-2021-33503.patch
Patch6003: backport-CVE-2020-14422.patch Patch6003: backport-CVE-2020-14422.patch
Patch6004: backport-fix-vulnerable-regex.patch Patch6004: backport-fix-vulnerable-regex.patch
Patch6005: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch Patch6005: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
Patch6006: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
Patch6007: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
Source1: pip-allow-older-versions.patch Source1: pip-allow-older-versions.patch
@ -159,6 +161,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
%{python_wheeldir}/%{python_wheelname} %{python_wheeldir}/%{python_wheelname}
%changelog %changelog
* Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 20.2.2-9
- Fix CVE-2023-45803 and CVE-2024-37891
* Wed Jun 26 2024 zhangruifang <zhangruifang@h-partners.com> - 20.2.2-8 * Wed Jun 26 2024 zhangruifang <zhangruifang@h-partners.com> - 20.2.2-8
- Fix CVE-2023-43804 - Fix CVE-2023-43804