import python-requests-2.20.0-2.1.el8_1

2020-01-21 16:47:52 -05:00 · 2020-01-21 16:47:52 -05:00 · a1205eb92c
commit a1205eb92c
parent a1de58af25
2 changed files with 82 additions and 1 deletions
--- a/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
+++ b/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
@ -0,0 +1,67 @@
+diff --git a/requests/sessions.py b/requests/sessions.py
+index a448bd8..d73d700 100644
+--- a/requests/sessions.py
+++ b/requests/sessions.py
+@@ -19,7 +19,7 @@ from .cookies import (
+ from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
+ from .hooks import default_hooks, dispatch_hook
+ from ._internal_utils import to_native_string
+-from .utils import to_key_val_list, default_headers
+from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
+ from .exceptions import (
+     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
+ 
+@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
+         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
+                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
+             return False
+
+        # Handle default port usage corresponding to scheme.
+        changed_port = old_parsed.port != new_parsed.port
+        changed_scheme = old_parsed.scheme != new_parsed.scheme
+        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
+        if (not changed_scheme and old_parsed.port in default_port
+                and new_parsed.port in default_port):
+            return False
+
+         # Standard case: root URI must match
+-        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
+        return changed_port or changed_scheme
+ 
+     def resolve_redirects(self, resp, req, stream=False, timeout=None,
+                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+diff --git a/requests/utils.py b/requests/utils.py
+index 0ce7fe1..04145c8 100644
+--- a/requests/utils.py
+++ b/requests/utils.py
+@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
+ 
+ DEFAULT_CA_BUNDLE_PATH = certs.where()
+ 
+DEFAULT_PORTS = {'http': 80, 'https': 443}
+
+ 
+ if sys.platform == 'win32':
+     # provide a proxy_bypass version on Windows without DNS lookups
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index f46561e..f99fdaf 100644
+--- a/tests/test_requests.py
+++ b/tests/test_requests.py
+@@ -1611,6 +1611,17 @@ class TestRequests:
+         s = requests.Session()
+         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
+ 
+    @pytest.mark.parametrize(
+        'old_uri, new_uri', (
+            ('https://example.com:443/foo', 'https://example.com/bar'),
+            ('http://example.com:80/foo', 'http://example.com/bar'),
+            ('https://example.com/foo', 'https://example.com:443/bar'),
+            ('http://example.com/foo', 'http://example.com:80/bar')
+        ))
+    def test_should_strip_auth_default_port(self, old_uri, new_uri):
+        s = requests.Session()
+        assert not s.should_strip_auth(old_uri, new_uri)
+
+     def test_manual_redirect_with_partial_body_read(self, httpbin):
+         s = requests.Session()
+         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
--- a/SPECS/python-requests.spec
+++ b/SPECS/python-requests.spec
@ -10,7 +10,7 @@

 Name:           python-requests
 Version:        2.20.0
-Release:        1%{?dist}
+Release:        2.1%{?dist}
 Summary:        HTTP library, written in Python, for human beings

 License:        ASL 2.0
@ -38,6 +38,12 @@ Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
 #   build-time package tests
 Patch5:         Skip-all-tests-needing-httpbin.patch

+# Properly handle default ports when stripping the authorization header.
+# This fixes a regression introduced with fixing CVE-2018-18074.
+# Fixed upstream: https://github.com/psf/requests/pull/4851
+# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1758261
+Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+
 BuildArch:      noarch

 %description
@ -100,6 +106,14 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v


 %changelog
+* Thu Oct 17 2019 Tomas Orsava <torsava@redhat.com> - 2.20.0-2.1
+- Bumping to enable gating
+Related: rhbz#1758261
+
+* Mon Oct 14 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-2
+- Properly handle default ports when stripping the authorization header
+Resolves: rhbz#1758261
+
 * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
 - Update to v2.20.0 for CVE-2018-18074.