.gitignore

@@ -1 +1 @@
-SOURCES/requests-v2.20.0.tar.gz
+SOURCES/requests-v2.25.1.tar.gz

.python-requests.metadata

@@ -1 +1 @@
-2c0728fc3aca17419b2b574341a0b019e117d4f5 SOURCES/requests-v2.20.0.tar.gz
+804fdbaf3dbc57f49a66cef920e9d4a5ce3460eb SOURCES/requests-v2.25.1.tar.gz

SOURCES/CVE-2023-32681.patch

@@ -0,0 +1,59 @@
+From 88313c734876b90c266d183d07d26338a14bc54c Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ requests/sessions.py   |  4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 45ab8a5..db9c594 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 5e721cb..c70706f 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -551,6 +551,26 @@ class TestRequests:
+         with pytest.raises(InvalidProxyURL):
+             requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})
+ 
++
++    @pytest.mark.parametrize(
++        "url,has_proxy_auth",
++        (
++            ('http://example.com', True),
++            ('https://example.com', False),
++        ),
++    )
++    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++        session = requests.Session()
++        proxies = {
++            'http': 'http://test:pass@localhost:8080',
++            'https': 'http://test:pass@localhost:8090',
++        }
++        req = requests.Request('GET', url)
++        prep = req.prepare()
++        session.rebuild_proxies(prep, proxies)
++
++        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+     def test_basicauth_with_netrc(self, httpbin):
+         auth = ('user', 'pass')
+         wrong_auth = ('wronguser', 'wrongpass')
+-- 
+2.40.1
+

SOURCES/CVE-2024-35195.patch

@@ -0,0 +1,629 @@
+From e94346e13375d81b35644e95ea4340e957ee2a7d Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 14:39:48 +0100
+Subject: [PATCH 1/8] Use TLS settings in selecting connection pool
+
+Upstream commit: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
+---
+ requests/adapters.py | 53 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index fa4d9b3..b768460 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -10,6 +10,7 @@ and maintain connections.
+ 
+ import os.path
+ import socket
++import typing
+ 
+ from urllib3.poolmanager import PoolManager, proxy_from_url
+ from urllib3.response import HTTPResponse
+@@ -52,6 +53,28 @@ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
+ 
++def _urllib3_request_context(
++    request: "PreparedRequest", verify: "bool | str | None"
++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
++    host_params = {}
++    pool_kwargs = {}
++    parsed_request_url = urlparse(request.url)
++    scheme = parsed_request_url.scheme.lower()
++    port = parsed_request_url.port
++    cert_reqs = "CERT_REQUIRED"
++    if verify is False:
++        cert_reqs = "CERT_NONE"
++    if isinstance(verify, str):
++        pool_kwargs["ca_certs"] = verify
++    pool_kwargs["cert_reqs"] = cert_reqs
++    host_params = {
++        "scheme": scheme,
++        "host": parsed_request_url.hostname,
++        "port": port,
++    }
++    return host_params, pool_kwargs
++
++
+ class BaseAdapter(object):
+     """The Base Transport Adapter"""
+ 
+@@ -289,6 +312,34 @@ class HTTPAdapter(BaseAdapter):
+ 
+         return response
+ 
++    def _get_connection(self, request, verify, proxies=None):
++        # Replace the existing get_connection without breaking things and
++        # ensure that TLS settings are considered when we interact with
++        # urllib3 HTTP Pools
++        proxy = select_proxy(request.url, proxies)
++        try:
++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++        except ValueError as e:
++            raise InvalidURL(e, request=request)
++        if proxy:
++            proxy = prepend_scheme_if_needed(proxy, "http")
++            proxy_url = parse_url(proxy)
++            if not proxy_url.host:
++                raise InvalidProxyURL(
++                    "Please check proxy URL. It is malformed "
++                    "and could be missing the host."
++                )
++            proxy_manager = self.proxy_manager_for(proxy)
++            conn = proxy_manager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        else:
++            # Only scheme should be lower case
++            conn = self.poolmanager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        return conn
++
+     def get_connection(self, url, proxies=None):
+         """Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+@@ -409,7 +460,7 @@ class HTTPAdapter(BaseAdapter):
+         """
+ 
+         try:
+-            conn = self.get_connection(request.url, proxies)
++            conn = self._get_connection(request, verify, proxies)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+ 
+-- 
+2.47.1
+
+From d3c30b0c69d8efe9a8ebce1f05d72dc0ac47ed67 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 14:45:08 +0100
+Subject: [PATCH 2/8] Add additional context parameters for our pool manager
+
+Upstream commit: https://github.com/psf/requests/commit/a94e9b5308ffcc3d2913ab873e9810a6601a67da
+---
+ requests/adapters.py | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index b768460..65ad876 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -54,7 +54,9 @@ DEFAULT_POOL_TIMEOUT = None
+ 
+ 
+ def _urllib3_request_context(
+-    request: "PreparedRequest", verify: "bool | str | None"
++    request: "PreparedRequest",
++    verify: "bool | str | None",
++    client_cert: "typing.Tuple[str, str] | str | None",
+ ) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
+     host_params = {}
+     pool_kwargs = {}
+@@ -67,6 +69,14 @@ def _urllib3_request_context(
+     if isinstance(verify, str):
+         pool_kwargs["ca_certs"] = verify
+     pool_kwargs["cert_reqs"] = cert_reqs
++    if client_cert is not None:
++        if isinstance(client_cert, tuple) and len(client_cert) == 2:
++            pool_kwargs["cert_file"] = client_cert[0]
++            pool_kwargs["key_file"] = client_cert[1]
++        else:
++            # According to our docs, we allow users to specify just the client
++            # cert path
++            pool_kwargs["cert_file"] = client_cert
+     host_params = {
+         "scheme": scheme,
+         "host": parsed_request_url.hostname,
+@@ -312,13 +322,13 @@ class HTTPAdapter(BaseAdapter):
+ 
+         return response
+ 
+-    def _get_connection(self, request, verify, proxies=None):
++    def _get_connection(self, request, verify, proxies=None, cert=None):
+         # Replace the existing get_connection without breaking things and
+         # ensure that TLS settings are considered when we interact with
+         # urllib3 HTTP Pools
+         proxy = select_proxy(request.url, proxies)
+         try:
+-            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++            host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
+         except ValueError as e:
+             raise InvalidURL(e, request=request)
+         if proxy:
+@@ -460,7 +470,7 @@ class HTTPAdapter(BaseAdapter):
+         """
+ 
+         try:
+-            conn = self._get_connection(request, verify, proxies)
++            conn = self._get_connection(request, verify, proxies=proxies, cert=cert)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+ 
+-- 
+2.47.1
+
+From 5dbe98fe21871f315cc68473165cbbed5eb5f048 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 14:51:34 +0100
+Subject: [PATCH 3/8] Avoid reloading root certificates to improve concurrent
+ performance
+
+Upstream commit: https://github.com/psf/requests/commit/9a40d1277807f0a4f26c9a37eea8ec90faa8aadc
+---
+ requests/adapters.py | 44 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 65ad876..7502059 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -17,6 +17,7 @@ from urllib3.response import HTTPResponse
+ from urllib3.util import parse_url
+ from urllib3.util import Timeout as TimeoutSauce
+ from urllib3.util.retry import Retry
++from urllib3.util.ssl_ import create_urllib3_context
+ from urllib3.exceptions import ClosedPoolError
+ from urllib3.exceptions import ConnectTimeoutError
+ from urllib3.exceptions import HTTPError as _HTTPError
+@@ -52,6 +53,11 @@ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
++_preloaded_ssl_context = create_urllib3_context()
++_preloaded_ssl_context.load_verify_locations(
++    extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
++)
++
+ 
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+@@ -66,8 +72,13 @@ def _urllib3_request_context(
+     cert_reqs = "CERT_REQUIRED"
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    if isinstance(verify, str):
+-        pool_kwargs["ca_certs"] = verify
++    elif verify is True:
++        pool_kwargs["ssl_context"] = _preloaded_ssl_context
++    elif isinstance(verify, str):
++        if not os.path.isdir(verify):
++            pool_kwargs["ca_certs"] = verify
++        else:
++            pool_kwargs["ca_cert_dir"] = verify
+     pool_kwargs["cert_reqs"] = cert_reqs
+     if client_cert is not None:
+         if isinstance(client_cert, tuple) and len(client_cert) == 2:
+@@ -247,25 +258,26 @@ class HTTPAdapter(BaseAdapter):
+         """
+         if url.lower().startswith('https') and verify:
+ 
+-            cert_loc = None
++            conn.cert_reqs = "CERT_REQUIRED"
+ 
+-            # Allow self-specified cert location.
++            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
++            # Otherwise, if verify is a boolean, we don't load anything since
++            # the connection will be using a context with the default certificates already loaded,
++            # and this avoids a call to the slow load_verify_locations()
+             if verify is not True:
++                # `verify` must be a str with a path then
+                 cert_loc = verify
+ 
+-            if not cert_loc:
+-                cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+-
+-            if not cert_loc or not os.path.exists(cert_loc):
+-                raise IOError("Could not find a suitable TLS CA certificate bundle, "
+-                              "invalid path: {}".format(cert_loc))
+-
+-            conn.cert_reqs = 'CERT_REQUIRED'
++                if not os.path.exists(cert_loc):
++                    raise OSError(
++                        f"Could not find a suitable TLS CA certificate bundle, "
++                        f"invalid path: {cert_loc}"
++                    )
+ 
+-            if not os.path.isdir(cert_loc):
+-                conn.ca_certs = cert_loc
+-            else:
+-                conn.ca_cert_dir = cert_loc
++                if not os.path.isdir(cert_loc):
++                    conn.ca_certs = cert_loc
++                else:
++                    conn.ca_cert_dir = cert_loc
+         else:
+             conn.cert_reqs = 'CERT_NONE'
+             conn.ca_certs = None
+-- 
+2.47.1
+
+From 232d96f2662eefbb3ebcfde94532ae38a6fe6f6f Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 14:53:47 +0100
+Subject: [PATCH 4/8] Move _get_connection to get_connection_with_tls_context
+
+Upstream commit: https://github.com/psf/requests/commit/aa1461b68aa73e2f6ec0e78c8853b635c76fd099
+---
+ requests/adapters.py | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 7502059..823efcd 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -334,10 +334,19 @@ class HTTPAdapter(BaseAdapter):
+ 
+         return response
+ 
+-    def _get_connection(self, request, verify, proxies=None, cert=None):
+-        # Replace the existing get_connection without breaking things and
+-        # ensure that TLS settings are considered when we interact with
+-        # urllib3 HTTP Pools
++    def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
++        """Returns a urllib3 connection for the given request and TLS settings.
++        This should not be called from user code, and is only exposed for use
++        when subclassing the :class:`HTTPAdapter <requests.adapters.HTTPAdapter>`.
++        :param request: The :class:`PreparedRequest <PreparedRequest>` object
++            to be sent over the connection.
++        :param verify: Either a boolean, in which case it controls whether
++            we verify the server's TLS certificate, or a string, in which case it
++            must be a path to a CA bundle to use.
++        :param proxies: (optional) The proxies dictionary to apply to the request.
++        :param cert: (optional) Any user-provided SSL certificate to be trusted.
++        :rtype: urllib3.ConnectionPool
++        """
+         proxy = select_proxy(request.url, proxies)
+         try:
+             host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
+@@ -363,7 +372,9 @@ class HTTPAdapter(BaseAdapter):
+         return conn
+ 
+     def get_connection(self, url, proxies=None):
+-        """Returns a urllib3 connection for the given URL. This should not be
++        """DEPRECATED: Users should move to `get_connection_with_tls_context`
++        for all subclasses of HTTPAdapter using Requests>=2.32.2.
++        Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+         :class:`HTTPAdapter <requests.adapters.HTTPAdapter>`.
+ 
+@@ -482,7 +493,9 @@ class HTTPAdapter(BaseAdapter):
+         """
+ 
+         try:
+-            conn = self._get_connection(request, verify, proxies=proxies, cert=cert)
++            conn = self.get_connection_with_tls_context(
++                request, verify, proxies=proxies, cert=cert
++            )
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+ 
+-- 
+2.47.1
+
+From c380f08f4ba26e8658f20347cf82b3c2c4b797ea Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 14:57:09 +0100
+Subject: [PATCH 5/8] Allow for overriding of specific pool key params
+
+Upstream commit: https://github.com/psf/requests/commit/a62a2d35d918baa8e793f7aa4fb41527644dfca5
+---
+ requests/adapters.py | 73 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 64 insertions(+), 9 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 823efcd..1ee302c 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -334,22 +334,77 @@ class HTTPAdapter(BaseAdapter):
+ 
+         return response
+ 
++    def build_connection_pool_key_attributes(self, request, verify, cert=None):
++        """Build the PoolKey attributes used by urllib3 to return a connection.
++        This looks at the PreparedRequest, the user-specified verify value,
++        and the value of the cert parameter to determine what PoolKey values
++        to use to select a connection from a given urllib3 Connection Pool.
++        The SSL related pool key arguments are not consistently set. As of
++        this writing, use the following to determine what keys may be in that
++        dictionary:
++        * If ``verify`` is ``True``, ``"ssl_context"`` will be set and will be the
++          default Requests SSL Context
++        * If ``verify`` is ``False``, ``"ssl_context"`` will not be set but
++          ``"cert_reqs"`` will be set
++        * If ``verify`` is a string, (i.e., it is a user-specified trust bundle)
++          ``"ca_certs"`` will be set if the string is not a directory recognized
++          by :py:func:`os.path.isdir`, otherwise ``"ca_certs_dir"`` will be
++          set.
++        * If ``"cert"`` is specified, ``"cert_file"`` will always be set. If
++          ``"cert"`` is a tuple with a second item, ``"key_file"`` will also
++          be present
++        To override these settings, one may subclass this class, call this
++        method and use the above logic to change parameters as desired. For
++        example, if one wishes to use a custom :py:class:`ssl.SSLContext` one
++        must both set ``"ssl_context"`` and based on what else they require,
++        alter the other keys to ensure the desired behaviour.
++        :param request:
++            The PreparedReqest being sent over the connection.
++        :type request:
++            :class:`~requests.models.PreparedRequest`
++        :param verify:
++            Either a boolean, in which case it controls whether
++            we verify the server's TLS certificate, or a string, in which case it
++            must be a path to a CA bundle to use.
++        :param cert:
++            (optional) Any user-provided SSL certificate for client
++            authentication (a.k.a., mTLS). This may be a string (i.e., just
++            the path to a file which holds both certificate and key) or a
++            tuple of length 2 with the certificate file path and key file
++            path.
++        :returns:
++            A tuple of two dictionaries. The first is the "host parameters"
++            portion of the Pool Key including scheme, hostname, and port. The
++            second is a dictionary of SSLContext related parameters.
++        """
++        return _urllib3_request_context(request, verify, cert)
++
+     def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
+         """Returns a urllib3 connection for the given request and TLS settings.
+         This should not be called from user code, and is only exposed for use
+         when subclassing the :class:`HTTPAdapter <requests.adapters.HTTPAdapter>`.
+-        :param request: The :class:`PreparedRequest <PreparedRequest>` object
+-            to be sent over the connection.
+-        :param verify: Either a boolean, in which case it controls whether
+-            we verify the server's TLS certificate, or a string, in which case it
+-            must be a path to a CA bundle to use.
+-        :param proxies: (optional) The proxies dictionary to apply to the request.
+-        :param cert: (optional) Any user-provided SSL certificate to be trusted.
+-        :rtype: urllib3.ConnectionPool
++        :param request:
++            The :class:`PreparedRequest <PreparedRequest>` object to be sent
++            over the connection.
++        :param verify:
++            Either a boolean, in which case it controls whether we verify the
++            server's TLS certificate, or a string, in which case it must be a
++            path to a CA bundle to use.
++        :param proxies:
++            (optional) The proxies dictionary to apply to the request.
++        :param cert:
++            (optional) Any user-provided SSL certificate to be used for client
++            authentication (a.k.a., mTLS).
++        :rtype:
++            urllib3.ConnectionPool
+         """
+         proxy = select_proxy(request.url, proxies)
+         try:
+-            host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
++            host_params, pool_kwargs = self.build_connection_pool_key_attributes(
++                request,
++                verify,
++                cert,
++            )
+         except ValueError as e:
+             raise InvalidURL(e, request=request)
+         if proxy:
+-- 
+2.47.1
+
+From 1f7a7a4748fec114fdb042649e8b2685fb2af464 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 14:59:19 +0100
+Subject: [PATCH 6/8] Don't use default SSLContext with custom poolmanager
+ kwargs
+
+Upstream commit: https://github.com/psf/requests/commit/b1d73ddb509a3a2d3e10744e85f9cdebdbde90f0
+---
+ requests/adapters.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 1ee302c..359bd22 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -63,16 +63,20 @@ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+     client_cert: "typing.Tuple[str, str] | str | None",
++    poolmanager: "PoolManager",
+ ) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
+     host_params = {}
+     pool_kwargs = {}
+     parsed_request_url = urlparse(request.url)
+     scheme = parsed_request_url.scheme.lower()
+     port = parsed_request_url.port
++    poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
++    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
++
+     cert_reqs = "CERT_REQUIRED"
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif verify is True:
++    elif verify is True and not has_poolmanager_ssl_context:
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif isinstance(verify, str):
+         if not os.path.isdir(verify):
+@@ -377,7 +381,7 @@ class HTTPAdapter(BaseAdapter):
+             portion of the Pool Key including scheme, hostname, and port. The
+             second is a dictionary of SSLContext related parameters.
+         """
+-        return _urllib3_request_context(request, verify, cert)
++        return _urllib3_request_context(request, verify, cert, self.poolmanager)
+ 
+     def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
+         """Returns a urllib3 connection for the given request and TLS settings.
+-- 
+2.47.1
+
+From f9e9a8b2a392b771d5ab644192246379667bbf08 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 15:01:24 +0100
+Subject: [PATCH 7/8] Don't create default SSLContext if ssl module isn't
+ present
+
+Upstream commit: https://github.com/psf/requests/commit/e18879932287c2bf4bcee4ddf6ccb8a69b6fc656
+---
+ requests/adapters.py | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 359bd22..4062137 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -53,10 +53,17 @@ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
+-_preloaded_ssl_context = create_urllib3_context()
+-_preloaded_ssl_context.load_verify_locations(
+-    extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+-)
++
++try:
++    import ssl  # noqa: F401
++    _preloaded_ssl_context = create_urllib3_context()
++    _preloaded_ssl_context.load_verify_locations(
++        extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
++    )
++except ImportError:
++    # Bypass default SSLContext creation when Python
++    # interpreter isn't built with the ssl module.
++    _preloaded_ssl_context = None
+ 
+ 
+ def _urllib3_request_context(
+@@ -70,13 +77,19 @@ def _urllib3_request_context(
+     parsed_request_url = urlparse(request.url)
+     scheme = parsed_request_url.scheme.lower()
+     port = parsed_request_url.port
++
++    # Determine if we have and should use our default SSLContext
++    # to optimize performance on standard requests.
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+     has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
++    should_use_default_ssl_context = (
++        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
++    )
+ 
+     cert_reqs = "CERT_REQUIRED"
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif verify is True and not has_poolmanager_ssl_context:
++    elif verify is True and should_use_default_ssl_context:
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif isinstance(verify, str):
+         if not os.path.isdir(verify):
+-- 
+2.47.1
+
+From fd57339bb1f7f0e1726d52f4b45d54ae1262d09f Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 17 Dec 2024 15:08:02 +0100
+Subject: [PATCH 8/8] Address certificate loading regression
+
+Upstream source: https://github.com/psf/requests/pull/6731
+---
+ requests/adapters.py | 45 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 30 insertions(+), 15 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 4062137..6dac45e 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -66,6 +66,23 @@ except ImportError:
+     _preloaded_ssl_context = None
+ 
+ 
++def _should_use_default_context(
++    verify: "bool | str | None",
++    client_cert: "typing.Tuple[str, str] | str | None",
++    poolmanager_kwargs: typing.Dict[str, typing.Any],
++) -> bool:
++    # Determine if we have and should use our default SSLContext
++    # to optimize performance on standard requests.
++    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
++    should_use_default_ssl_context = (
++        verify is True
++        and _preloaded_ssl_context is not None
++        and not has_poolmanager_ssl_context
++        and client_cert is None
++    )
++    return should_use_default_ssl_context
++
++
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+@@ -77,25 +94,25 @@ def _urllib3_request_context(
+     parsed_request_url = urlparse(request.url)
+     scheme = parsed_request_url.scheme.lower()
+     port = parsed_request_url.port
+-
+-    # Determine if we have and should use our default SSLContext
+-    # to optimize performance on standard requests.
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+-    should_use_default_ssl_context = (
+-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
+-    )
+ 
+     cert_reqs = "CERT_REQUIRED"
++    cert_loc = None
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif verify is True and should_use_default_ssl_context:
++    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
++    elif verify is True:
++        # Set default ca cert location if none provided
++        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+     elif isinstance(verify, str):
+-        if not os.path.isdir(verify):
+-            pool_kwargs["ca_certs"] = verify
++        cert_loc = verify
++
++    if cert_loc is not None:
++        if not os.path.isdir(cert_loc):
++            pool_kwargs["ca_certs"] = cert_loc
+         else:
+-            pool_kwargs["ca_cert_dir"] = verify
++            pool_kwargs["ca_cert_dir"] = cert_loc
+     pool_kwargs["cert_reqs"] = cert_reqs
+     if client_cert is not None:
+         if isinstance(client_cert, tuple) and len(client_cert) == 2:
+@@ -277,10 +294,8 @@ class HTTPAdapter(BaseAdapter):
+ 
+             conn.cert_reqs = "CERT_REQUIRED"
+ 
+-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
+-            # Otherwise, if verify is a boolean, we don't load anything since
+-            # the connection will be using a context with the default certificates already loaded,
+-            # and this avoids a call to the slow load_verify_locations()
++            # Only load the CA certificates if `verify` is a
++            # string indicating the CA bundle to use.
+             if verify is not True:
+                 # `verify` must be a str with a path then
+                 cert_loc = verify
+-- 
+2.47.1
+

SOURCES/Don-t-inject-pyopenssl-into-urllib3.patch

@@ -1,38 +0,0 @@
-From 86b1fa39fdebdb7bc57131c1a198d4d18e104f95 Mon Sep 17 00:00:00 2001
-From: Jeremy Cline <jeremy@jcline.org>
-Date: Mon, 16 Apr 2018 10:35:35 -0400
-Subject: [PATCH] Don't inject pyopenssl into urllib3
-
-Fedora ships sufficiently new versions of Python 2 and 3 to make this
-unnecessary (rhbz 1567862)
-
-Signed-off-by: Jeremy Cline <jeremy@jcline.org>
----
- requests/__init__.py | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/requests/__init__.py b/requests/__init__.py
-index a5b3c9c3..e312d314 100644
---- a/requests/__init__.py
-+++ b/requests/__init__.py
-@@ -90,17 +90,6 @@ except (AssertionError, ValueError):
-                   "version!".format(urllib3.__version__, chardet.__version__),
-                   RequestsDependencyWarning)
- 
--# Attempt to enable urllib3's SNI support, if possible
--try:
--    from urllib3.contrib import pyopenssl
--    pyopenssl.inject_into_urllib3()
--
--    # Check cryptography version
--    from cryptography import __version__ as cryptography_version
--    _check_cryptography(cryptography_version)
--except ImportError:
--    pass
--
- # urllib3's DependencyWarnings should be silenced.
- from urllib3.exceptions import DependencyWarning
- warnings.simplefilter('ignore', DependencyWarning)
--- 
-2.17.0
-

SOURCES/Empty-security-extras.patch

@@ -0,0 +1,13 @@
+diff --git a/setup.py b/setup.py
+index 065eb22..043ae42 100755
+--- a/setup.py
++++ b/setup.py
+@@ -100,7 +100,7 @@ setup(
+     cmdclass={'test': PyTest},
+     tests_require=test_requirements,
+     extras_require={
+-        'security': ['pyOpenSSL >= 0.14', 'cryptography>=1.3.4'],
++        'security': [],
+         'socks': ['PySocks>=1.5.6, !=1.5.7'],
+         'socks:sys_platform == "win32" and python_version == "2.7"': ['win_inet_pton'],
+     },

SOURCES/Remove-tests-that-use-the-tarpit.patch

@@ -1,4 +1,4 @@
-From 524cd22fb77e69db9bb3f017bbb1d9782c37b0cd Mon Sep 17 00:00:00 2001
+From bb1c91432c5e9a1f402692db5c80c65136656afb Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jeremy@jcline.org>
 Date: Tue, 13 Jun 2017 09:08:09 -0400
 Subject: [PATCH] Remove tests that use the tarpit
@@ -15,10 +15,10 @@ Signed-off-by: Jeremy Cline <jeremy@jcline.org>
  1 file changed, 25 deletions(-)
 
 diff --git a/tests/test_requests.py b/tests/test_requests.py
-index b8350cb..46b7e9e 100755
+index 7d4a4eb5..8d1c55fc 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
-@@ -2049,31 +2049,6 @@ class TestTimeout:
+@@ -2186,31 +2186,6 @@ class TestTimeout:
          except ReadTimeout:
              pass
  
@@ -48,8 +48,8 @@ index b8350cb..46b7e9e 100755
 -            pass
 -
      def test_encoded_methods(self, httpbin):
-         """See: https://github.com/requests/requests/issues/2316"""
+         """See: https://github.com/psf/requests/issues/2316"""
          r = requests.request(b'GET', httpbin('get'))
 -- 
-2.9.4
+2.24.1
 

SOURCES/Skip-all-tests-needing-httpbin.patch

@@ -1,33 +0,0 @@
-From 650da6c0267ba711d9d02d2bba8d79540437055f Mon Sep 17 00:00:00 2001
-From: Tomas Orsava <torsava@redhat.com>
-Date: Wed, 13 Jun 2018 15:44:42 +0200
-Subject: [PATCH] Skip all tests needing httpbin
-
-httpbin has too many dependencies to be shipped in RHEL just for
-build-time package tests
----
- tests/conftest.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/tests/conftest.py b/tests/conftest.py
-index cd64a76..6cdc95a 100644
---- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -15,10 +15,12 @@ def prepare_url(value):
- 
- 
- @pytest.fixture
--def httpbin(httpbin):
-+def httpbin():
-+    pytest.skip()
-     return prepare_url(httpbin)
- 
- 
- @pytest.fixture
--def httpbin_secure(httpbin_secure):
-+def httpbin_secure():
-+    pytest.skip()
-     return prepare_url(httpbin_secure)
--- 
-2.14.4
-

SOURCES/patch-requests-certs.py-to-use-the-system-CA-bundle.patch

@@ -1,19 +1,7 @@
-From a8ef690988f92a56226f8b688f1a3638346bca8e Mon Sep 17 00:00:00 2001
-From: Jeremy Cline <jeremy@jcline.org>
-Date: Mon, 19 Jun 2017 16:09:02 -0400
-Subject: [PATCH] Patch requests/certs.py to use the system CA bundle
-
-Signed-off-by: Jeremy Cline <jeremy@jcline.org>
----
- requests/certs.py | 11 ++++++++++-
- setup.py          |  1 -
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/requests/certs.py b/requests/certs.py
-index d1a378d7..7b103baf 100644
---- a/requests/certs.py
-+++ b/requests/certs.py
-@@ -11,8 +11,17 @@ only one — the one from the certifi package.
+diff --color -Nur requests-2.25.1.orig/requests/certs.py requests-2.25.1/requests/certs.py
+--- requests-2.25.1.orig/requests/certs.py	2021-01-10 16:27:05.027059634 -0800
++++ requests-2.25.1/requests/certs.py	2021-01-10 16:29:06.973238179 -0800
+@@ -10,8 +10,13 @@
  If you are packaging Requests, e.g., for a Linux distribution or a managed
  environment, you can change the definition of where() to return a separately
  packaged CA bundle.
@@ -22,28 +10,20 @@ index d1a378d7..7b103baf 100644
 +by the ca-certificates RPM package.
  """
 -from certifi import where
-+try:
-+    from certifi import where
-+except ImportError:
-+    def where():
-+        """Return the absolute path to the system CA bundle."""
-+        return '/etc/pki/tls/certs/ca-bundle.crt'
-+
++def where():
++    """Return the absolute path to the system CA bundle."""
++    return '/etc/pki/tls/certs/ca-bundle.crt'
  
  if __name__ == '__main__':
      print(where())
-diff --git a/setup.py b/setup.py
-index 4e2ad936..60de5861 100755
---- a/setup.py
-+++ b/setup.py
-@@ -45,7 +45,6 @@ requires = [
-     'chardet>=3.0.2,<3.1.0',
-     'idna>=2.5,<2.8',
-     'urllib3>=1.21.1,<1.25',
+diff --color -Nur requests-2.25.1.orig/setup.py requests-2.25.1/setup.py
+--- requests-2.25.1.orig/setup.py	2020-12-16 11:34:26.000000000 -0800
++++ requests-2.25.1/setup.py	2021-01-10 16:29:21.570259552 -0800
+@@ -45,7 +45,6 @@
+     'chardet>=3.0.2,<5',
+     'idna>=2.5,<3',
+     'urllib3>=1.21.1,<1.27',
 -    'certifi>=2017.4.17'
  
  ]
  test_requirements = [
--- 
-2.19.1
-

SOURCES/properly-handle-default-ports-in-auth-stripping.patch

@@ -1,67 +0,0 @@
-diff --git a/requests/sessions.py b/requests/sessions.py
-index a448bd8..d73d700 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -19,7 +19,7 @@ from .cookies import (
- from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
- from .hooks import default_hooks, dispatch_hook
- from ._internal_utils import to_native_string
--from .utils import to_key_val_list, default_headers
-+from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
- from .exceptions import (
-     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
- 
-@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
-         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
-                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
-             return False
-+
-+        # Handle default port usage corresponding to scheme.
-+        changed_port = old_parsed.port != new_parsed.port
-+        changed_scheme = old_parsed.scheme != new_parsed.scheme
-+        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
-+        if (not changed_scheme and old_parsed.port in default_port
-+                and new_parsed.port in default_port):
-+            return False
-+
-         # Standard case: root URI must match
--        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
-+        return changed_port or changed_scheme
- 
-     def resolve_redirects(self, resp, req, stream=False, timeout=None,
-                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
-diff --git a/requests/utils.py b/requests/utils.py
-index 0ce7fe1..04145c8 100644
---- a/requests/utils.py
-+++ b/requests/utils.py
-@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
- 
- DEFAULT_CA_BUNDLE_PATH = certs.where()
- 
-+DEFAULT_PORTS = {'http': 80, 'https': 443}
-+
- 
- if sys.platform == 'win32':
-     # provide a proxy_bypass version on Windows without DNS lookups
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index f46561e..f99fdaf 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1611,6 +1611,17 @@ class TestRequests:
-         s = requests.Session()
-         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
- 
-+    @pytest.mark.parametrize(
-+        'old_uri, new_uri', (
-+            ('https://example.com:443/foo', 'https://example.com/bar'),
-+            ('http://example.com:80/foo', 'http://example.com/bar'),
-+            ('https://example.com/foo', 'https://example.com:443/bar'),
-+            ('http://example.com/foo', 'http://example.com:80/bar')
-+        ))
-+    def test_should_strip_auth_default_port(self, old_uri, new_uri):
-+        s = requests.Session()
-+        assert not s.should_strip_auth(old_uri, new_uri)
-+
-     def test_manual_redirect_with_partial_body_read(self, httpbin):
-         s = requests.Session()
-         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)

SOURCES/support_IPv6_CIDR_in_no_proxy.patch

@@ -0,0 +1,268 @@
+From 94c0991a62246018bc9909907c2889519158079d Mon Sep 17 00:00:00 2001
+From: Derek Higgins <derekh@redhat.com>
+Date: Thu, 4 Jan 2024 11:30:57 +0100
+Subject: [PATCH] Add ipv6 support to should_bypass_proxies
+
+Add support to should_bypass_proxies to support
+IPv6 ipaddresses and CIDRs in no_proxy. Includes
+adding IPv6 support to various other helper functions.
+---
+ requests/utils.py   | 83 ++++++++++++++++++++++++++++++++++++++-------
+ tests/test_utils.py | 67 ++++++++++++++++++++++++++++++++----
+ 2 files changed, 131 insertions(+), 19 deletions(-)
+
+diff --git a/requests/utils.py b/requests/utils.py
+index db67938..f3f780c 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -623,18 +623,46 @@ def requote_uri(uri):
+         return quote(uri, safe=safe_without_percent)
+ 
+ 
++def _get_mask_bits(mask, totalbits=32):
++    """Converts a mask from /xx format to a int
++    to be used as a mask for IP's in int format
++
++    Example: if mask is 24 function returns 0xFFFFFF00
++             if mask is 24 and totalbits=128 function
++                returns 0xFFFFFF00000000000000000000000000
++
++    :rtype: int
++    """
++    bits = ((1 << mask) - 1) << (totalbits - mask)
++    return bits
++
++
+ def address_in_network(ip, net):
+     """This function allows you to check if an IP belongs to a network subnet
+ 
+     Example: returns True if ip = 192.168.1.1 and net = 192.168.1.0/24
+              returns False if ip = 192.168.1.1 and net = 192.168.100.0/24
++             returns True if ip = 1:2:3:4::1 and net = 1:2:3:4::/64
+ 
+     :rtype: bool
+     """
+-    ipaddr = struct.unpack('=L', socket.inet_aton(ip))[0]
+     netaddr, bits = net.split('/')
+-    netmask = struct.unpack('=L', socket.inet_aton(dotted_netmask(int(bits))))[0]
+-    network = struct.unpack('=L', socket.inet_aton(netaddr))[0] & netmask
++    if is_ipv4_address(ip) and is_ipv4_address(netaddr):
++        ipaddr = struct.unpack(">L", socket.inet_aton(ip))[0]
++        netmask = _get_mask_bits(int(bits))
++        network = struct.unpack(">L", socket.inet_aton(netaddr))[0]
++    elif is_ipv6_address(ip) and is_ipv6_address(netaddr):
++        ipaddr_msb, ipaddr_lsb = struct.unpack(
++            ">QQ", socket.inet_pton(socket.AF_INET6, ip)
++        )
++        ipaddr = (ipaddr_msb << 64) ^ ipaddr_lsb
++        netmask = _get_mask_bits(int(bits), 128)
++        network_msb, network_lsb = struct.unpack(
++            ">QQ", socket.inet_pton(socket.AF_INET6, netaddr)
++        )
++        network = (network_msb << 64) ^ network_lsb
++    else:
++        return False
+     return (ipaddr & netmask) == (network & netmask)
+ 
+ 
+@@ -654,12 +682,39 @@ def is_ipv4_address(string_ip):
+     :rtype: bool
+     """
+     try:
+-        socket.inet_aton(string_ip)
++        socket.inet_pton(socket.AF_INET, string_ip)
++    except socket.error:
++        return False
++    return True
++
++
++def is_ipv6_address(string_ip):
++    """
++    :rtype: bool
++    """
++    try:
++        socket.inet_pton(socket.AF_INET6, string_ip)
+     except socket.error:
+         return False
+     return True
+ 
+ 
++def compare_ips(a, b):
++    """
++    Compare 2 IP's, uses socket.inet_pton to normalize IPv6 IPs
++
++    :rtype: bool
++    """
++    if a == b:
++        return True
++    try:
++        return socket.inet_pton(socket.AF_INET6, a) == socket.inet_pton(
++            socket.AF_INET6, b
++        )
++    except OSError:
++        return False
++
++
+ def is_valid_cidr(string_network):
+     """
+     Very simple check of the cidr format in no_proxy variable.
+@@ -667,17 +722,19 @@ def is_valid_cidr(string_network):
+     :rtype: bool
+     """
+     if string_network.count('/') == 1:
++        address, mask = string_network.split("/")
+         try:
+-            mask = int(string_network.split('/')[1])
++            mask = int(mask)
+         except ValueError:
+             return False
+ 
+-        if mask < 1 or mask > 32:
+-            return False
+-
+-        try:
+-            socket.inet_aton(string_network.split('/')[0])
+-        except socket.error:
++        if is_ipv4_address(address):
++            if mask < 1 or mask > 32:
++                return False
++        elif is_ipv6_address(address):
++            if mask < 1 or mask > 128:
++                return False
++        else:
+             return False
+     else:
+         return False
+@@ -734,12 +791,12 @@ def should_bypass_proxies(url, no_proxy):
+             host for host in no_proxy.replace(' ', '').split(',') if host
+         )
+ 
+-        if is_ipv4_address(parsed.hostname):
++        if is_ipv4_address(parsed.hostname) or is_ipv6_address(parsed.hostname):
+             for proxy_ip in no_proxy:
+                 if is_valid_cidr(proxy_ip):
+                     if address_in_network(parsed.hostname, proxy_ip):
+                         return True
+-                elif parsed.hostname == proxy_ip:
++                elif compare_ips(parsed.hostname, proxy_ip):
+                     # If no_proxy ip was defined in plain IP notation instead of cidr notation &
+                     # matches the IP of the index
+                     return True
+diff --git a/tests/test_utils.py b/tests/test_utils.py
+index 463516b..4ce139a 100644
+--- a/tests/test_utils.py
++++ b/tests/test_utils.py
+@@ -21,7 +21,7 @@ from requests.utils import (
+     requote_uri, select_proxy, should_bypass_proxies, super_len,
+     to_key_val_list, to_native_string,
+     unquote_header_value, unquote_unreserved,
+-    urldefragauth, add_dict_to_cookiejar, set_environ)
++    urldefragauth, add_dict_to_cookiejar, set_environ, _get_mask_bits, compare_ips)
+ from requests._internal_utils import unicode_is_ascii
+ 
+ from .compat import StringIO, cStringIO
+@@ -215,9 +215,15 @@ class TestIsIPv4Address:
+ 
+ 
+ class TestIsValidCIDR:
+-
+-    def test_valid(self):
+-        assert is_valid_cidr('192.168.1.0/24')
++    @pytest.mark.parametrize(
++        "value",
++        (
++            "192.168.1.0/24",
++            "1:2:3:4::/64",
++        ),
++    )
++    def test_valid(self, value):
++        assert is_valid_cidr(value)
+ 
+     @pytest.mark.parametrize(
+         'value', (
+@@ -226,6 +232,11 @@ class TestIsValidCIDR:
+             '192.168.1.0/128',
+             '192.168.1.0/-1',
+             '192.168.1.999/24',
++            "1:2:3:4::1",
++            "1:2:3:4::/a",
++            "1:2:3:4::0/321",
++            "1:2:3:4::/-1",
++            "1:2:3:4::12211/64",
+         ))
+     def test_invalid(self, value):
+         assert not is_valid_cidr(value)
+@@ -239,6 +250,12 @@ class TestAddressInNetwork:
+     def test_invalid(self):
+         assert not address_in_network('172.16.0.1', '192.168.1.0/24')
+ 
++    def test_valid_v6(self):
++        assert address_in_network("1:2:3:4::1111", "1:2:3:4::/64")
++
++    def test_invalid_v6(self):
++        assert not address_in_network("1:2:3:4:1111", "1:2:3:4::/124")
++
+ 
+ class TestGuessFilename:
+ 
+@@ -624,13 +641,18 @@ def test_urldefragauth(url, expected):
+             ('http://172.16.1.12:5000/', False),
+             ('http://google.com:5000/v1.0/', False),
+             ('file:///some/path/on/disk', True),
++            ("http://[1:2:3:4:5:6:7:8]:5000/", True),
++            ("http://[1:2:3:4::1]/", True),
++            ("http://[1:2:3:9::1]/", True),
++            ("http://[1:2:3:9:0:0:0:1]/", True),
++            ("http://[1:2:3:9::2]/", False),
+     ))
+ def test_should_bypass_proxies(url, expected, monkeypatch):
+     """Tests for function should_bypass_proxies to check if proxy
+     can be bypassed or not
+     """
+-    monkeypatch.setenv('no_proxy', '192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000')
+-    monkeypatch.setenv('NO_PROXY', '192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000')
++    monkeypatch.setenv('no_proxy', '192.168.0.0/24,127.0.0.1,localhost.localdomain,1:2:3:4::/64,1:2:3:9::1,172.16.1.1, google.com:6000')
++    monkeypatch.setenv('NO_PROXY', '192.168.0.0/24,127.0.0.1,localhost.localdomain,1:2:3:4::/64,1:2:3:9::1,172.16.1.1, google.com:6000')
+     assert should_bypass_proxies(url, no_proxy=None) == expected
+ 
+ 
+@@ -781,3 +803,36 @@ def test_set_environ_raises_exception():
+             raise Exception('Expected exception')
+ 
+     assert 'Expected exception' in str(exception.value)
++
++
++@pytest.mark.parametrize(
++    "mask, totalbits, maskbits",
++    (
++        (24, None, 0xFFFFFF00),
++        (31, None, 0xFFFFFFFE),
++        (0, None, 0x0),
++        (4, 4, 0xF),
++        (24, 128, 0xFFFFFF00000000000000000000000000),
++    ),
++)
++def test__get_mask_bits(mask, totalbits, maskbits):
++    args = {"mask": mask}
++    if totalbits:
++        args["totalbits"] = totalbits
++    assert _get_mask_bits(**args) == maskbits
++
++
++@pytest.mark.parametrize(
++    "a, b, expected",
++    (
++        ("1.2.3.4", "1.2.3.4", True),
++        ("1.2.3.4", "2.2.3.4", False),
++        ("1::4", "1.2.3.4", False),
++        ("1::4", "1::4", True),
++        ("1::4", "1:0:0:0:0:0:0:4", True),
++        ("1::4", "1:0:0:0:0:0::4", True),
++        ("1::4", "1:0:0:0:0:0:1:4", False),
++    ),
++)
++def test_compare_ips(a, b, expected):
++    assert compare_ips(a, b) == expected
+-- 
+2.43.0
+

SPECS/python-requests.spec

@@ -1,9 +1,11 @@
-%bcond_without tests
-%bcond_without python3
+# Disable tests on RHEL9 as to not pull in the test dependencies
+# Specify --with tests to run the tests e.g. on EPEL
+%bcond_with tests
+
 
 Name:           python-requests
-Version:        2.20.0
-Release:        3%{?dist}
+Version:        2.25.1
+Release:        9%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 
 License:        ASL 2.0
@@ -23,19 +25,43 @@ Patch2:         Remove-tests-that-use-the-tarpit.patch
 # a pretty odd one so this is a niche requirement.
 Patch3:         requests-2.12.4-tests_nonet.patch
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1567862
-Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
+# The [security] extra as present in upstream 2.25.1 is not possible,
+# because the PyOpenSSL package is not part of RHEL 9.
+# We backport a pre-2.26.0 commit that makes request[security] a no-op:
+#   https://github.com/psf/requests/pull/5867
+# """
+# We initially removed default support for PyOpenSSL in Requests 2.24.0
+# as it is now considered less secure. Deprecation of the extras_require was
+# announced in Requests 2.25.0 and we're officially removing the extras_require
+# functionality in Requests 2.26.0.
+# Projects currently using requests[security] after this change will continue
+# to operate as if performing a standard requests installation (secure by default).
+# """
+Patch4:         Empty-security-extras.patch
 
-# Skip all tests needing httpbin
-#   httpbin has too many dependencies to be shipped in RHEL just for
-#   build-time package tests
-Patch5:         Skip-all-tests-needing-httpbin.patch
+# Security fix for CVE-2023-32681
+# Unintended leak of Proxy-Authorization header
+# Resolved upstream: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2209469
+Patch5:         CVE-2023-32681.patch
 
-# Properly handle default ports when stripping the authorization header.
-# This fixes a regression introduced with fixing CVE-2018-18074.
-# Fixed upstream: https://github.com/psf/requests/pull/4851
-# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762422
-Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+# Add support for IPv6 CIDR in no_proxy setting
+# This functionality is needed in Openshift and it has been
+# proposed for upstream in 2021 but the PR unfortunately stalled.
+# Issue: https://issues.redhat.com/browse/RHEL-17548
+# Upstream PR: https://github.com/psf/requests/pull/5953
+Patch6:         support_IPv6_CIDR_in_no_proxy.patch
+
+# Security fix for CVE-2024-35195
+# Subsequent requests to the same host ignore cert verification.
+# The patch is a combination of many upstream changes. Each commit contains
+# the respective upstream commit. The first one is the fix for the vulnerability
+# see: https://github.com/psf/requests/pull/6655
+# and the rest tries to make it more backward compatible.
+# The last commit is still a draft upstream and therefore the link points to the PR.
+# PR: https://github.com/psf/requests/pull/6731
+# The issue it tries to solve: https://github.com/psf/requests/issues/6726
+Patch7:         CVE-2024-35195.patch
 
 BuildArch:      noarch
 
@@ -45,54 +71,20 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
-%package -n python2-requests
-Summary: HTTP library, written in Python, for human beings
-%{?python_provide:%python_provide python2-requests}
-
-BuildRequires:  python2-devel
-BuildRequires:  python2-chardet
-BuildRequires:  python2-urllib3
-BuildRequires:  python2-idna
-%if %{with tests}
-BuildRequires:  python2-pytest
-BuildRequires:  python2-pytest-mock
-%endif
-
-
-Requires:       ca-certificates
-Requires:       python2-chardet
-Requires:       python2-urllib3
-Requires:       python2-idna
-
-%if 0%{?rhel} && 0%{?rhel} <= 6
-BuildRequires:  python-ordereddict
-Requires:       python-ordereddict
-%endif
-
-%description -n python2-requests
-Most existing Python modules for sending HTTP requests are extremely verbose and
-cumbersome. Python’s built-in urllib2 module provides most of the HTTP
-capabilities you should need, but the API is thoroughly broken. This library is
-designed to make HTTP requests easy for developers.
-
-%if %{with python3}
 %package -n python%{python3_pkgversion}-requests
 Summary: HTTP library, written in Python, for human beings
 
 %{?python_provide:%python_provide python%{python3_pkgversion}-requests}
 
 BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-chardet
-BuildRequires:  python%{python3_pkgversion}-urllib3
-BuildRequires:  python%{python3_pkgversion}-idna
+BuildRequires:  pyproject-rpm-macros
+
 %if %{with tests}
-BuildRequires:  python%{python3_pkgversion}-pytest
-BuildRequires:  python%{python3_pkgversion}-pytest-mock
+BuildRequires:  python3dist(pytest)
+BuildRequires:  python3dist(pytest-httpbin)
+BuildRequires:  python3dist(pytest-mock)
 %endif
 
-Requires:       python%{python3_pkgversion}-chardet
-Requires:       python%{python3_pkgversion}-urllib3
-Requires:       python%{python3_pkgversion}-idna
 
 %description -n python%{python3_pkgversion}-requests
 Most existing Python modules for sending HTTP requests are extremely verbose and
@@ -100,8 +92,16 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
+%pyproject_extras_subpkg -n python%{python3_pkgversion}-requests security socks
+
+%generate_buildrequires
+%if %{with tests}
+%pyproject_buildrequires -r
+%else
+%pyproject_buildrequires
 %endif
 
+
 %prep
 %autosetup -p1 -n requests-%{version}
 
@@ -111,78 +111,161 @@ rm -rf requests/cacert.pem
 # env shebang in nonexecutable file
 sed -i '/#!\/usr\/.*python/d' requests/certs.py
 
+# Some doctests use the internet and fail to pass in Koji. Since doctests don't have names, I don't
+# know a way to skip them. We also don't want to patch them out, because patching them out will
+# change the docs. Thus, we set pytest not to run doctests at all.
+sed -i 's/ --doctest-modules//' pytest.ini
+
 %build
-%py2_build
-%if %{with python3}
-%py3_build
-%endif
+%pyproject_wheel
+
 
 %install
-%py2_install
-%if %{with python3}
-%py3_install
-%endif
+%pyproject_install
+%pyproject_save_files requests
+
 
 %if %{with tests}
 %check
-PYTHONPATH=%{buildroot}%{python2_sitelib} %{__python2} -m pytest -v
-%if %{with python3}
-PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
+# test_https_warnings: https://github.com/psf/requests/issues/5530
+%pytest -v -k "not test_https_warnings"
 %endif
-%endif # tests
 
 
-%files -n python2-requests
+%files -n python%{python3_pkgversion}-requests -f %{pyproject_files}
 %license LICENSE
 %doc README.md HISTORY.md
-%{python2_sitelib}/*.egg-info
-%{python2_sitelib}/requests/
-
-%if %{with python3}
-%files -n python%{python3_pkgversion}-requests
-%license LICENSE
-%doc README.md HISTORY.md
-%{python3_sitelib}/*.egg-info
-%{python3_sitelib}/requests/
-%endif
 
 
 %changelog
-* Fri Nov 1 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-3
-- Properly handle default ports when stripping the authorization header
-Resolves: rhbz#1762422
+* Fri Jan 10 2025 Lumír Balhar <lbalhar@redhat.com> - 2.25.1-9
+- Security fix for CVE-2024-35195
+Resolves: RHEL-37609
 
-* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 2.20.0-2
-- Bumping due to problems with modular RPM upgrade path
-- Resolves: rhbz#1695587
+* Tue Jan 02 2024 Lumír Balhar <lbalhar@redhat.com> - 2.25.1-8
+- Add support for IPv6 CIDR in no_proxy setting
+Resolves: RHEL-17548
+
+* Fri Jun 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-7
+- Security fix for CVE-2023-32681
+Resolves: rhbz#2209469
+
+* Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 2.25.1-6
+- Add automatically generated Obsoletes tag with the python39- prefix
+  for smoother upgrade from RHEL8
+- Related: rhbz#1990421
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-5
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jul 15 2021 Miro Hrončok <mhroncok@redhat.com> - 2.25.1-4
+- Make requests[security] extras a no-op (backported from future 2.26.0)
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-2
+- Disable tests on RHEL9 to avoid pulling in the test dependencies
+
+* Tue Feb 02 2021 Kevin Fenzi <kevin@scrye.com> - 2.25.1-1
+- Update 2.25.1. Fix is rhbz#1908487
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.25.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Nov 25 2020 Petr Viktorin <pviktori@redhat.com> - 2.25.0-1
+- Update to 2.25.0
+
+* Fri Nov 13 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-5
+- Don't BR pytest-cov
+
+* Fri Sep 18 2020 Petr Viktorin <pviktori@redhat.com> - 2.24.0-4
+- Port to pyproject macros
+
+* Fri Sep 18 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-3
+- Build with pytest 6, older version is no longer required
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.24.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jul 10 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-1
+- Update to 2.24.0
+- Resolves rhbz#1848104
+
+* Fri Jul 10 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-5
+- Add requests[security] and requests[socks] subpackages
+
+* Sat May 30 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-4
+- Test with pytest 4, drop manual requires
+
+* Mon May 25 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-3
+- Rebuilt for Python 3.9
+
+* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-2
+- Bootstrap for Python 3.9
+
+* Fri Feb 21 2020 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.23.0-1
+- Update to 2.23.0 (#1804863).
+- https://requests.readthedocs.io/en/latest/community/updates/
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Oct 22 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.22.0-7
+- Remove the python2 subpackage (rhbz#1761787)
+
+* Wed Sep 18 2019 Petr Viktorin <pviktori@redhat.com> - 2.22.0-6
+- Python 2: Remove tests and test dependencies
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-5
+- Rebuilt for Python 3.8
+
+* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-4
+- Bootstrap for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jun 11 2019 Yatin Karel <ykarel@redhat.com> - 2.22.0-2
+- Add minimum requirement for chardet and urllib3
+
+* Thu May 23 2019 Jeremy Cline <jcline@redhat.com> - 2.22.0-1
+- Update to v2.22.0
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.21.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 13 2018 Jeremy Cline <jeremy@jcline.org> - 2.21.0-1
+- Update to v2.21.0
+- Don't rely on certifi being patched properly to use the system CA bundle
+
+* Mon Nov 26 2018 Miro Hrončok <mhroncok@redhat.com> - 2.20.0-2
+- No pytest-httpbin for Python 2
 
 * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
-- Update to v2.20.0 for CVE-2018-18074.
+- Update to v2.20.0
 
-* Tue Jul 31 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-5
-- Make possible to disable python3 subpackage
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.19.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Mon Jul 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-4
-- First version for python27 module
+* Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.1-2
+- Rebuilt for Python 3.7
 
-* Thu Jun 21 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-3
-- Allow build with Python 2
-
-* Tue Jun 19 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.19.1-2
-- Remove the python-pytest-cov dependency
-
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
+* Thu Jun 14 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
 - Update to v2.19.1 (rhbz 1591531)
 
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
+* Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.0-2
+- Bootstrap for Python 3.7
+
+* Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
 - Update to v2.19.0 (rhbz 1590508)
 
-* Wed Jun 13 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-6
-- Skip all tests needing httpbin: httpbin has too many dependencies to be
-  shipped in RHEL just for build-time package tests
+* Fri Jun 08 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-6
+- Don't print runtime warning about urllib3 v1.23 (rhbz 1589306)
 
-* Tue Jun 12 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-5
-- BR idna, or the tests fail to start
+* Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-5
+- Allow urllib3 v1.23 (rhbz 1586311)
 
 * Mon Apr 16 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-4
 - Stop injecting PyOpenSSL (rhbz 1567862)