packages/python-urllib3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!117 fix CVE-2024-37891

Browse Source 
From: @chengyechun 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
This commit is contained in:
openeuler-ci-bot 2025-03-24 06:19:56 +00:00 committed by Gitee
commit 8f40019f83
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 81 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch Normal file
View File

@ -0,0 +1,73 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
* Fix test_retry_default_remove_headers_on_redirect
* Set release date
Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified
because it has been deleted in the pre-phase of the spec file
Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
---
CHANGES.rst | 6 ++++++
src/urllib3/util/retry.py | 4 +++-
test/test_retry.py | 6 +++++-
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/CHANGES.rst b/CHANGES.rst
index 389980f..01ea636 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,12 @@
Changes
=======
+2.2.2 (2024-06-17)
+==================
+
+- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a di
+fferent host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
+
1.25.9 (2020-04-16)
-------------------
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 20b7f69..b4a2d3d 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -154,7 +154,9 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Maximum backoff time.
BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index 1d21511..0c12014 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -270,7 +270,11 @@ class TestRetry(object):
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ assert retry.remove_headers_on_redirect == {
+ "authorization",
+ "proxy-authorization",
+ "cookie",
+ }
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
--
2.33.0

9
python-urllib3.spec
View File

@ -3,7 +3,7 @@
Name: python-%{srcname}
Version: 1.25.9
Release: 10
Release: 11
Summary: Sanity-friendly HTTP client for Python
License: MIT
URL: https://urllib3.readthedocs.io
@ -21,6 +21,7 @@ Patch6005: backport-fixed-issue-with-port-0-returning-None.patch
Patch6006: backport-fix-NRESERVED_PAT-and-_idna_encode.patch
Patch6007: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
Patch6008: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
Patch6009: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
%global _description \
HTTP library with thread-safe connection pooling, file post support,\
@ -122,6 +123,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
%{python3_sitelib}/urllib3-*.egg-info
%changelog
* Fri Mar 21 2025 chengyechun <chengyechun1@huawei.com> - 1.25.9-11
- Type:CVE
- CVE:CVE-2024-37891
- SUG:NA
- DESC:fix CVE-2024-37891
* Mon Nov 06 2023 chengyechun <chengyechun1@huawei.com> - 1.25.9-10
- Type:CVE
- CVE:CVE-2023-45803