.gitignore

@@ -1 +1 @@
-SOURCES/requests-v2.20.0.tar.gz
+/requests-v2.22.0.tar.gz

.python-requests.metadata

@@ -1 +0,0 @@
-2c0728fc3aca17419b2b574341a0b019e117d4f5 SOURCES/requests-v2.20.0.tar.gz

CVE-2023-32681.patch

@@ -0,0 +1,59 @@
+From 88313c734876b90c266d183d07d26338a14bc54c Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ requests/sessions.py   |  4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 45ab8a5..db9c594 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 5e721cb..c70706f 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -551,6 +551,26 @@ class TestRequests:
+         with pytest.raises(InvalidProxyURL):
+             requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})
+ 
++
++    @pytest.mark.parametrize(
++        "url,has_proxy_auth",
++        (
++            ('http://example.com', True),
++            ('https://example.com', False),
++        ),
++    )
++    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++        session = requests.Session()
++        proxies = {
++            'http': 'http://test:pass@localhost:8080',
++            'https': 'http://test:pass@localhost:8090',
++        }
++        req = requests.Request('GET', url)
++        prep = req.prepare()
++        session.rebuild_proxies(prep, proxies)
++
++        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+     def test_basicauth_with_netrc(self, httpbin):
+         auth = ('user', 'pass')
+         wrong_auth = ('wronguser', 'wrongpass')
+-- 
+2.40.1
+

SOURCES/Skip-all-tests-needing-httpbin.patch

@@ -1,33 +0,0 @@
-From 650da6c0267ba711d9d02d2bba8d79540437055f Mon Sep 17 00:00:00 2001
-From: Tomas Orsava <torsava@redhat.com>
-Date: Wed, 13 Jun 2018 15:44:42 +0200
-Subject: [PATCH] Skip all tests needing httpbin
-
-httpbin has too many dependencies to be shipped in RHEL just for
-build-time package tests
----
- tests/conftest.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/tests/conftest.py b/tests/conftest.py
-index cd64a76..6cdc95a 100644
---- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -15,10 +15,12 @@ def prepare_url(value):
- 
- 
- @pytest.fixture
--def httpbin(httpbin):
-+def httpbin():
-+    pytest.skip()
-     return prepare_url(httpbin)
- 
- 
- @pytest.fixture
--def httpbin_secure(httpbin_secure):
-+def httpbin_secure():
-+    pytest.skip()
-     return prepare_url(httpbin_secure)
--- 
-2.14.4
-

SOURCES/properly-handle-default-ports-in-auth-stripping.patch

@@ -1,67 +0,0 @@
-diff --git a/requests/sessions.py b/requests/sessions.py
-index a448bd8..d73d700 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -19,7 +19,7 @@ from .cookies import (
- from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
- from .hooks import default_hooks, dispatch_hook
- from ._internal_utils import to_native_string
--from .utils import to_key_val_list, default_headers
-+from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
- from .exceptions import (
-     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
- 
-@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
-         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
-                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
-             return False
-+
-+        # Handle default port usage corresponding to scheme.
-+        changed_port = old_parsed.port != new_parsed.port
-+        changed_scheme = old_parsed.scheme != new_parsed.scheme
-+        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
-+        if (not changed_scheme and old_parsed.port in default_port
-+                and new_parsed.port in default_port):
-+            return False
-+
-         # Standard case: root URI must match
--        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
-+        return changed_port or changed_scheme
- 
-     def resolve_redirects(self, resp, req, stream=False, timeout=None,
-                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
-diff --git a/requests/utils.py b/requests/utils.py
-index 0ce7fe1..04145c8 100644
---- a/requests/utils.py
-+++ b/requests/utils.py
-@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
- 
- DEFAULT_CA_BUNDLE_PATH = certs.where()
- 
-+DEFAULT_PORTS = {'http': 80, 'https': 443}
-+
- 
- if sys.platform == 'win32':
-     # provide a proxy_bypass version on Windows without DNS lookups
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index f46561e..f99fdaf 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1611,6 +1611,17 @@ class TestRequests:
-         s = requests.Session()
-         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
- 
-+    @pytest.mark.parametrize(
-+        'old_uri, new_uri', (
-+            ('https://example.com:443/foo', 'https://example.com/bar'),
-+            ('http://example.com:80/foo', 'http://example.com/bar'),
-+            ('https://example.com/foo', 'https://example.com:443/bar'),
-+            ('http://example.com/foo', 'http://example.com:80/bar')
-+        ))
-+    def test_should_strip_auth_default_port(self, old_uri, new_uri):
-+        s = requests.Session()
-+        assert not s.should_strip_auth(old_uri, new_uri)
-+
-     def test_manual_redirect_with_partial_body_read(self, httpbin):
-         s = requests.Session()
-         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)

patch-requests-certs.py-to-use-the-system-CA-bundle.patch

@@ -1,19 +1,19 @@
-From a8ef690988f92a56226f8b688f1a3638346bca8e Mon Sep 17 00:00:00 2001
+From d5a4f2908fab5ca16eb59db8b18eda7a94a37b04 Mon Sep 17 00:00:00 2001
-From: Jeremy Cline <jeremy@jcline.org>
+From: Jeremy Cline <jcline@redhat.com>
-Date: Mon, 19 Jun 2017 16:09:02 -0400
+Date: Thu, 13 Dec 2018 10:55:29 -0500
 Subject: [PATCH] Patch requests/certs.py to use the system CA bundle
 
-Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
- requests/certs.py | 11 ++++++++++-
+ requests/certs.py | 8 +++++++-
  setup.py          | 1 -
- 2 files changed, 10 insertions(+), 2 deletions(-)
+ 2 files changed, 7 insertions(+), 2 deletions(-)
 
 diff --git a/requests/certs.py b/requests/certs.py
-index d1a378d7..7b103baf 100644
+index d1a378d7..5eb2f1a9 100644
 --- a/requests/certs.py
 +++ b/requests/certs.py
-@@ -11,8 +11,17 @@ only one — the one from the certifi package.
+@@ -11,8 +11,14 @@ only one — the one from the certifi package.
  If you are packaging Requests, e.g., for a Linux distribution or a managed
  environment, you can change the definition of where() to return a separately
  packaged CA bundle.
@@ -22,9 +22,6 @@ index d1a378d7..7b103baf 100644
 +by the ca-certificates RPM package.
  """
 -from certifi import where
-+try:
-+    from certifi import where
-+except ImportError:
 +def where():
 +    """Return the absolute path to the system CA bundle."""
 +    return '/etc/pki/tls/certs/ca-bundle.crt'
@@ -33,17 +30,17 @@ index d1a378d7..7b103baf 100644
  if __name__ == '__main__':
      print(where())
 diff --git a/setup.py b/setup.py
-index 4e2ad936..60de5861 100755
+index 10ce2c62..1f3b2bde 100755
 --- a/setup.py
 +++ b/setup.py
 @@ -45,7 +45,6 @@ requires = [
      'chardet>=3.0.2,<3.1.0',
-     'idna>=2.5,<2.8',
+     'idna>=2.5,<2.9',
-     'urllib3>=1.21.1,<1.25',
+     'urllib3>=1.21.1,<1.26,!=1.25.0,!=1.25.1',
 -    'certifi>=2017.4.17'
  
  ]
  test_requirements = [
 -- 
-2.19.1
+2.19.2
 

python-requests.spec

@@ -1,9 +1,8 @@
-%bcond_without tests
+%bcond_with tests
-%bcond_without python3
 
 Name:           python-requests
-Version:        2.20.0
+Version:        2.22.0
-Release:        3%{?dist}
+Release:        10%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 
 License:        ASL 2.0
@@ -26,18 +25,23 @@ Patch3:         requests-2.12.4-tests_nonet.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1567862
 Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
 
-# Skip all tests needing httpbin
+# https://bugzilla.redhat.com/show_bug.cgi?id=1653223
-#   httpbin has too many dependencies to be shipped in RHEL just for
+Patch5:         requests-2.20.0-no-py2-httpbin.patch
-#   build-time package tests
-Patch5:         Skip-all-tests-needing-httpbin.patch
 
-# Properly handle default ports when stripping the authorization header.
+# https://github.com/kennethreitz/requests/pull/5049
-# This fixes a regression introduced with fixing CVE-2018-18074.
+Patch6:         support-pytest-4.patch
-# Fixed upstream: https://github.com/psf/requests/pull/4851
+
-# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762422
+# Security fix for CVE-2023-32681
-Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+# Unintended leak of Proxy-Authorization header
+# Resolved upstream: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2209469
+Patch7:         CVE-2023-32681.patch
 
 BuildArch:      noarch
+# Exclude i686 arch. Due to a modularity issue it's being added to the
+# x86_64 compose of CRB, but we don't want to ship it at all.
+# See: https://projects.engineering.redhat.com/browse/RCM-72605
+ExcludeArch:    i686
 
 %description
 Most existing Python modules for sending HTTP requests are extremely verbose and
@@ -45,37 +49,6 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
-%package -n python2-requests
-Summary: HTTP library, written in Python, for human beings
-%{?python_provide:%python_provide python2-requests}
-
-BuildRequires:  python2-devel
-BuildRequires:  python2-chardet
-BuildRequires:  python2-urllib3
-BuildRequires:  python2-idna
-%if %{with tests}
-BuildRequires:  python2-pytest
-BuildRequires:  python2-pytest-mock
-%endif
-
-
-Requires:       ca-certificates
-Requires:       python2-chardet
-Requires:       python2-urllib3
-Requires:       python2-idna
-
-%if 0%{?rhel} && 0%{?rhel} <= 6
-BuildRequires:  python-ordereddict
-Requires:       python-ordereddict
-%endif
-
-%description -n python2-requests
-Most existing Python modules for sending HTTP requests are extremely verbose and
-cumbersome. Python’s built-in urllib2 module provides most of the HTTP
-capabilities you should need, but the API is thoroughly broken. This library is
-designed to make HTTP requests easy for developers.
-
-%if %{with python3}
 %package -n python%{python3_pkgversion}-requests
 Summary: HTTP library, written in Python, for human beings
 
@@ -85,13 +58,16 @@ BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-chardet
 BuildRequires:  python%{python3_pkgversion}-urllib3
 BuildRequires:  python%{python3_pkgversion}-idna
+BuildRequires:  python%{python3_pkgversion}-rpm-macros
 %if %{with tests}
 BuildRequires:  python%{python3_pkgversion}-pytest
+BuildRequires:  python%{python3_pkgversion}-pytest-cov
+BuildRequires:  python%{python3_pkgversion}-pytest-httpbin
 BuildRequires:  python%{python3_pkgversion}-pytest-mock
 %endif
 
-Requires:       python%{python3_pkgversion}-chardet
+Requires:       python%{python3_pkgversion}-chardet >= 3.0.2
-Requires:       python%{python3_pkgversion}-urllib3
+Requires:       python%{python3_pkgversion}-urllib3 >= 1.21.1
 Requires:       python%{python3_pkgversion}-idna
 
 %description -n python%{python3_pkgversion}-requests
@@ -100,8 +76,6 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
-%endif
-
 %prep
 %autosetup -p1 -n requests-%{version}
 
@@ -112,77 +86,90 @@ rm -rf requests/cacert.pem
 sed -i '/#!\/usr\/.*python/d' requests/certs.py
 
 %build
-%py2_build
-%if %{with python3}
 %py3_build
-%endif
+
 
 %install
-%py2_install
-%if %{with python3}
 %py3_install
-%endif
+
 
 %if %{with tests}
 %check
-PYTHONPATH=%{buildroot}%{python2_sitelib} %{__python2} -m pytest -v
-%if %{with python3}
 PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
-%endif
 %endif # tests
 
-
-%files -n python2-requests
-%license LICENSE
-%doc README.md HISTORY.md
-%{python2_sitelib}/*.egg-info
-%{python2_sitelib}/requests/
-
-%if %{with python3}
 %files -n python%{python3_pkgversion}-requests
 %license LICENSE
 %doc README.md HISTORY.md
 %{python3_sitelib}/*.egg-info
 %{python3_sitelib}/requests/
-%endif
 
 
 %changelog
-* Fri Nov 1 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-3
+* Wed Jun 21 2023 Lumír Balhar <lbalhar@redhat.com> - 2.22.0-10
-- Properly handle default ports when stripping the authorization header
+- Security fix for CVE-2023-32681
-Resolves: rhbz#1762422
+Resolves: rhbz#2209469
 
-* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 2.20.0-2
+* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 2.22.0-9
-- Bumping due to problems with modular RPM upgrade path
+- Exclude unsupported i686 arch
-- Resolves: rhbz#1695587
+
+* Wed Nov 20 2019 Lumír Balhar <lbalhar@redhat.com> - 2.22.0-8
+- Adjusted for Python 3.8 module in RHEL 8
+
+* Tue Oct 22 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.22.0-7
+- Remove the python2 subpackage (rhbz#1761787)
+
+* Wed Sep 18 2019 Petr Viktorin <pviktori@redhat.com> - 2.22.0-6
+- Python 2: Remove tests and test dependencies
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-5
+- Rebuilt for Python 3.8
+
+* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-4
+- Bootstrap for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jun 11 2019 Yatin Karel <ykarel@redhat.com> - 2.22.0-2
+- Add minimum requirement for chardet and urllib3
+
+* Thu May 23 2019 Jeremy Cline <jcline@redhat.com> - 2.22.0-1
+- Update to v2.22.0
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.21.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 13 2018 Jeremy Cline <jeremy@jcline.org> - 2.21.0-1
+- Update to v2.21.0
+- Don't rely on certifi being patched properly to use the system CA bundle
+
+* Mon Nov 26 2018 Miro Hrončok <mhroncok@redhat.com> - 2.20.0-2
+- No pytest-httpbin for Python 2
 
 * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
-- Update to v2.20.0 for CVE-2018-18074.
+- Update to v2.20.0
 
-* Tue Jul 31 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-5
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.19.1-3
-- Make possible to disable python3 subpackage
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Mon Jul 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-4
+* Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.1-2
-- First version for python27 module
+- Rebuilt for Python 3.7
 
-* Thu Jun 21 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-3
+* Thu Jun 14 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
-- Allow build with Python 2
-
-* Tue Jun 19 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.19.1-2
-- Remove the python-pytest-cov dependency
-
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
 - Update to v2.19.1 (rhbz 1591531)
 
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
+* Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.0-2
+- Bootstrap for Python 3.7
+
+* Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
 - Update to v2.19.0 (rhbz 1590508)
 
-* Wed Jun 13 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-6
+* Fri Jun 08 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-6
-- Skip all tests needing httpbin: httpbin has too many dependencies to be
+- Don't print runtime warning about urllib3 v1.23 (rhbz 1589306)
-  shipped in RHEL just for build-time package tests
 
-* Tue Jun 12 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-5
+* Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-5
-- BR idna, or the tests fail to start
+- Allow urllib3 v1.23 (rhbz 1586311)
 
 * Mon Apr 16 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-4
 - Stop injecting PyOpenSSL (rhbz 1567862)

requests-2.20.0-no-py2-httpbin.patch

@@ -0,0 +1,34 @@
+diff --git a/tests/conftest.py b/tests/conftest.py
+index cd64a76..1d5ddbb 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -14,11 +14,23 @@ def prepare_url(value):
+     return inner
+ 
+ 
+-@pytest.fixture
+-def httpbin(httpbin):
+-    return prepare_url(httpbin)
++import sys
+ 
++if sys.version_info[0] < 3:
++    @pytest.fixture
++    def httpbin():
++        pytest.skip('No httpbin for Python 2')
+ 
+-@pytest.fixture
+-def httpbin_secure(httpbin_secure):
+-    return prepare_url(httpbin_secure)
++    @pytest.fixture
++    def httpbin_secure():
++        pytest.skip('No httpbin for Python 2')
++
++else:
++    @pytest.fixture
++    def httpbin(httpbin):
++        return prepare_url(httpbin)
++
++
++    @pytest.fixture
++    def httpbin_secure(httpbin_secure):
++        return prepare_url(httpbin_secure)

sources

@@ -0,0 +1 @@
+SHA512 (requests-v2.22.0.tar.gz) = 1259c270e343fc860322b105904232226f26b3b363e9d102d599020fcc7b6e1d524dc6c650181ce3152caebe11d2c60045ddd9c9fc04560294caa284e209c386

support-pytest-4.patch

@@ -0,0 +1,26 @@
+From 7a33a8e523be6aa40c7e5435d3c5d92f2cc6e9a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Mon, 8 Apr 2019 18:04:22 +0200
+Subject: [PATCH] Support pytest 4
+
+Fixes https://github.com/kennethreitz/requests/issues/5048
+
+See https://docs.pytest.org/en/latest/deprecations.html#marks-in-pytest-mark-parametrize
+---
+ tests/test_utils.py |  3 ++-
+ 1 file changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/tests/test_utils.py b/tests/test_utils.py
+index 59b0b0efa..62c51494d 100644
+--- a/tests/test_utils.py
++++ b/tests/test_utils.py
+@@ -33,7 +33,8 @@ class TestSuperLen:
+         'stream, value', (
+             (StringIO.StringIO, 'Test'),
+             (BytesIO, b'Test'),
+-            pytest.mark.skipif('cStringIO is None')((cStringIO, 'Test')),
++            pytest.param(cStringIO, 'Test',
++                         marks=pytest.mark.skipif('cStringIO is None')),
+         ))
+     def test_io_streams(self, stream, value):
+         """Ensures that we properly deal with different kinds of IO streams."""