11 changed files with 530 additions and 280 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/requests-v2.20.0.tar.gz
+SOURCES/requests-v2.25.1.tar.gz
--- a/.python-requests.metadata
+++ b/.python-requests.metadata
@ -1 +1 @@
-2c0728fc3aca17419b2b574341a0b019e117d4f5 SOURCES/requests-v2.20.0.tar.gz
+804fdbaf3dbc57f49a66cef920e9d4a5ce3460eb SOURCES/requests-v2.25.1.tar.gz
--- a/SOURCES/CVE-2023-32681.patch
+++ b/SOURCES/CVE-2023-32681.patch
@ -0,0 +1,59 @@
 From 88313c734876b90c266d183d07d26338a14bc54c Mon Sep 17 00:00:00 2001
 From: Nate Prewitt <nate.prewitt@gmail.com>
 Date: Mon, 22 May 2023 08:08:57 -0700
 Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
 ---
 requests/sessions.py   |  4 +++-
 tests/test_requests.py | 20 ++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 diff --git a/requests/sessions.py b/requests/sessions.py
 index 45ab8a5..db9c594 100644
 --- a/requests/sessions.py
 +++ b/requests/sessions.py
@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
         except KeyError:
             username, password = None, None
 -        if username and password:
 +        # urllib3 handles proxy authorization for us in the standard adapter.
 +        # Avoid appending this to TLS tunneled requests where it may be leaked.
 +        if not scheme.startswith('https') and username and password:
             headers['Proxy-Authorization'] = _basic_auth_str(username, password)
         return new_proxies
 diff --git a/tests/test_requests.py b/tests/test_requests.py
 index 5e721cb..c70706f 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
@@ -551,6 +551,26 @@ class TestRequests:
         with pytest.raises(InvalidProxyURL):
             requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})
 +
 +    @pytest.mark.parametrize(
 +        "url,has_proxy_auth",
 +        (
 +            ('http://example.com', True),
 +            ('https://example.com', False),
 +        ),
 +    )
 +    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
 +        session = requests.Session()
 +        proxies = {
 +            'http': 'http://test:pass@localhost:8080',
 +            'https': 'http://test:pass@localhost:8090',
 +        }
 +        req = requests.Request('GET', url)
 +        prep = req.prepare()
 +        session.rebuild_proxies(prep, proxies)
 +
 +        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
 +
     def test_basicauth_with_netrc(self, httpbin):
         auth = ('user', 'pass')
         wrong_auth = ('wronguser', 'wrongpass')
 -- 
 2.40.1
--- a/SOURCES/Don-t-inject-pyopenssl-into-urllib3.patch
+++ b/SOURCES/Don-t-inject-pyopenssl-into-urllib3.patch
@ -1,38 +0,0 @@
 From 86b1fa39fdebdb7bc57131c1a198d4d18e104f95 Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jeremy@jcline.org>
 Date: Mon, 16 Apr 2018 10:35:35 -0400
 Subject: [PATCH] Don't inject pyopenssl into urllib3
 Fedora ships sufficiently new versions of Python 2 and 3 to make this
 unnecessary (rhbz 1567862)
 Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 ---
 requests/__init__.py | 7 -------
 1 file changed, 7 deletions(-)
 diff --git a/requests/__init__.py b/requests/__init__.py
 index a5b3c9c3..e312d314 100644
 --- a/requests/__init__.py
 +++ b/requests/__init__.py
@@ -90,17 +90,6 @@ except (AssertionError, ValueError):
                   "version!".format(urllib3.__version__, chardet.__version__),
                   RequestsDependencyWarning)
 -# Attempt to enable urllib3's SNI support, if possible
 -try:
 -    from urllib3.contrib import pyopenssl
 -    pyopenssl.inject_into_urllib3()
 -
 -    # Check cryptography version
 -    from cryptography import __version__ as cryptography_version
 -    _check_cryptography(cryptography_version)
 -except ImportError:
 -    pass
 -
 # urllib3's DependencyWarnings should be silenced.
 from urllib3.exceptions import DependencyWarning
 warnings.simplefilter('ignore', DependencyWarning)
 -- 
 2.17.0
--- a/SOURCES/Empty-security-extras.patch
+++ b/SOURCES/Empty-security-extras.patch
@ -0,0 +1,13 @@
 diff --git a/setup.py b/setup.py
 index 065eb22..043ae42 100755
 --- a/setup.py
 +++ b/setup.py
@@ -100,7 +100,7 @@ setup(
     cmdclass={'test': PyTest},
     tests_require=test_requirements,
     extras_require={
 -        'security': ['pyOpenSSL >= 0.14', 'cryptography>=1.3.4'],
 +        'security': [],
         'socks': ['PySocks>=1.5.6, !=1.5.7'],
         'socks:sys_platform == "win32" and python_version == "2.7"': ['win_inet_pton'],
     },
--- a/SOURCES/Remove-tests-that-use-the-tarpit.patch
+++ b/SOURCES/Remove-tests-that-use-the-tarpit.patch
@ -1,4 +1,4 @@
-From 524cd22fb77e69db9bb3f017bbb1d9782c37b0cd Mon Sep 17 00:00:00 2001
+From bb1c91432c5e9a1f402692db5c80c65136656afb Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jeremy@jcline.org>
 Date: Tue, 13 Jun 2017 09:08:09 -0400
 Subject: [PATCH] Remove tests that use the tarpit
@ -15,10 +15,10 @@ Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 1 file changed, 25 deletions(-)
 diff --git a/tests/test_requests.py b/tests/test_requests.py
-index b8350cb..46b7e9e 100755
+index 7d4a4eb5..8d1c55fc 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
-@@ -2049,31 +2049,6 @@ class TestTimeout:
+@@ -2186,31 +2186,6 @@ class TestTimeout:
         except ReadTimeout:
             pass
@ -48,8 +48,8 @@ index b8350cb..46b7e9e 100755
 -            pass
 -
     def test_encoded_methods(self, httpbin):
-         """See: https://github.com/requests/requests/issues/2316"""
+         """See: https://github.com/psf/requests/issues/2316"""
         r = requests.request(b'GET', httpbin('get'))
 -- 
-2.9.4
+2.24.1
--- a/SOURCES/Skip-all-tests-needing-httpbin.patch
+++ b/SOURCES/Skip-all-tests-needing-httpbin.patch
@ -1,33 +0,0 @@
 From 650da6c0267ba711d9d02d2bba8d79540437055f Mon Sep 17 00:00:00 2001
 From: Tomas Orsava <torsava@redhat.com>
 Date: Wed, 13 Jun 2018 15:44:42 +0200
 Subject: [PATCH] Skip all tests needing httpbin
 httpbin has too many dependencies to be shipped in RHEL just for
 build-time package tests
 ---
 tests/conftest.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/tests/conftest.py b/tests/conftest.py
 index cd64a76..6cdc95a 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -15,10 +15,12 @@ def prepare_url(value):
 @pytest.fixture
 -def httpbin(httpbin):
 +def httpbin():
 +    pytest.skip()
     return prepare_url(httpbin)
 @pytest.fixture
 -def httpbin_secure(httpbin_secure):
 +def httpbin_secure():
 +    pytest.skip()
     return prepare_url(httpbin_secure)
 -- 
 2.14.4
--- a/SOURCES/patch-requests-certs.py-to-use-the-system-CA-bundle.patch
+++ b/SOURCES/patch-requests-certs.py-to-use-the-system-CA-bundle.patch
@ -1,19 +1,7 @@
-From a8ef690988f92a56226f8b688f1a3638346bca8e Mon Sep 17 00:00:00 2001
+diff --color -Nur requests-2.25.1.orig/requests/certs.py requests-2.25.1/requests/certs.py
-From: Jeremy Cline <jeremy@jcline.org>
+--- requests-2.25.1.orig/requests/certs.py	2021-01-10 16:27:05.027059634 -0800
-Date: Mon, 19 Jun 2017 16:09:02 -0400
+++ requests-2.25.1/requests/certs.py	2021-01-10 16:29:06.973238179 -0800
-Subject: [PATCH] Patch requests/certs.py to use the system CA bundle
+@@ -10,8 +10,13 @@
 Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 ---
 requests/certs.py | 11 ++++++++++-
 setup.py          |  1 -
 2 files changed, 10 insertions(+), 2 deletions(-)
 diff --git a/requests/certs.py b/requests/certs.py
 index d1a378d7..7b103baf 100644
 --- a/requests/certs.py
 +++ b/requests/certs.py
@@ -11,8 +11,17 @@ only one — the one from the certifi package.
 If you are packaging Requests, e.g., for a Linux distribution or a managed
 environment, you can change the definition of where() to return a separately
 packaged CA bundle.
@ -22,28 +10,20 @@ index d1a378d7..7b103baf 100644
 +by the ca-certificates RPM package.
 """
 -from certifi import where
-+try:
+def where():
-+    from certifi import where
+    """Return the absolute path to the system CA bundle."""
-+except ImportError:
+    return '/etc/pki/tls/certs/ca-bundle.crt'
 +    def where():
 +        """Return the absolute path to the system CA bundle."""
 +        return '/etc/pki/tls/certs/ca-bundle.crt'
 +
 if __name__ == '__main__':
     print(where())
-diff --git a/setup.py b/setup.py
+diff --color -Nur requests-2.25.1.orig/setup.py requests-2.25.1/setup.py
-index 4e2ad936..60de5861 100755
+--- requests-2.25.1.orig/setup.py	2020-12-16 11:34:26.000000000 -0800
--- a/setup.py
+++ requests-2.25.1/setup.py	2021-01-10 16:29:21.570259552 -0800
-+++ b/setup.py
+@@ -45,7 +45,6 @@
-@@ -45,7 +45,6 @@ requires = [
+     'chardet>=3.0.2,<5',
-     'chardet>=3.0.2,<3.1.0',
+     'idna>=2.5,<3',
-     'idna>=2.5,<2.8',
+     'urllib3>=1.21.1,<1.27',
     'urllib3>=1.21.1,<1.25',
 -    'certifi>=2017.4.17'
 ]
 test_requirements = [
 -- 
 2.19.1
--- a/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
+++ b/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
@ -1,67 +0,0 @@
 diff --git a/requests/sessions.py b/requests/sessions.py
 index a448bd8..d73d700 100644
 --- a/requests/sessions.py
 +++ b/requests/sessions.py
@@ -19,7 +19,7 @@ from .cookies import (
 from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
 from .hooks import default_hooks, dispatch_hook
 from ._internal_utils import to_native_string
 -from .utils import to_key_val_list, default_headers
 +from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
 from .exceptions import (
     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
             return False
 +
 +        # Handle default port usage corresponding to scheme.
 +        changed_port = old_parsed.port != new_parsed.port
 +        changed_scheme = old_parsed.scheme != new_parsed.scheme
 +        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
 +        if (not changed_scheme and old_parsed.port in default_port
 +                and new_parsed.port in default_port):
 +            return False
 +
         # Standard case: root URI must match
 -        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
 +        return changed_port or changed_scheme
     def resolve_redirects(self, resp, req, stream=False, timeout=None,
                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
 diff --git a/requests/utils.py b/requests/utils.py
 index 0ce7fe1..04145c8 100644
 --- a/requests/utils.py
 +++ b/requests/utils.py
@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
 DEFAULT_CA_BUNDLE_PATH = certs.where()
 +DEFAULT_PORTS = {'http': 80, 'https': 443}
 +
 if sys.platform == 'win32':
     # provide a proxy_bypass version on Windows without DNS lookups
 diff --git a/tests/test_requests.py b/tests/test_requests.py
 index f46561e..f99fdaf 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
@@ -1611,6 +1611,17 @@ class TestRequests:
         s = requests.Session()
         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
 +    @pytest.mark.parametrize(
 +        'old_uri, new_uri', (
 +            ('https://example.com:443/foo', 'https://example.com/bar'),
 +            ('http://example.com:80/foo', 'http://example.com/bar'),
 +            ('https://example.com/foo', 'https://example.com:443/bar'),
 +            ('http://example.com/foo', 'http://example.com:80/bar')
 +        ))
 +    def test_should_strip_auth_default_port(self, old_uri, new_uri):
 +        s = requests.Session()
 +        assert not s.should_strip_auth(old_uri, new_uri)
 +
     def test_manual_redirect_with_partial_body_read(self, httpbin):
         s = requests.Session()
         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
--- a/SOURCES/support_IPv6_CIDR_in_no_proxy.patch
+++ b/SOURCES/support_IPv6_CIDR_in_no_proxy.patch
@ -0,0 +1,268 @@
 From 94c0991a62246018bc9909907c2889519158079d Mon Sep 17 00:00:00 2001
 From: Derek Higgins <derekh@redhat.com>
 Date: Thu, 4 Jan 2024 11:30:57 +0100
 Subject: [PATCH] Add ipv6 support to should_bypass_proxies
 Add support to should_bypass_proxies to support
 IPv6 ipaddresses and CIDRs in no_proxy. Includes
 adding IPv6 support to various other helper functions.
 ---
 requests/utils.py   | 83 ++++++++++++++++++++++++++++++++++++++-------
 tests/test_utils.py | 67 ++++++++++++++++++++++++++++++++----
 2 files changed, 131 insertions(+), 19 deletions(-)
 diff --git a/requests/utils.py b/requests/utils.py
 index db67938..f3f780c 100644
 --- a/requests/utils.py
 +++ b/requests/utils.py
@@ -623,18 +623,46 @@ def requote_uri(uri):
         return quote(uri, safe=safe_without_percent)
 +def _get_mask_bits(mask, totalbits=32):
 +    """Converts a mask from /xx format to a int
 +    to be used as a mask for IP's in int format
 +
 +    Example: if mask is 24 function returns 0xFFFFFF00
 +             if mask is 24 and totalbits=128 function
 +                returns 0xFFFFFF00000000000000000000000000
 +
 +    :rtype: int
 +    """
 +    bits = ((1 << mask) - 1) << (totalbits - mask)
 +    return bits
 +
 +
 def address_in_network(ip, net):
     """This function allows you to check if an IP belongs to a network subnet
     Example: returns True if ip = 192.168.1.1 and net = 192.168.1.0/24
              returns False if ip = 192.168.1.1 and net = 192.168.100.0/24
 +             returns True if ip = 1:2:3:4::1 and net = 1:2:3:4::/64
     :rtype: bool
     """
 -    ipaddr = struct.unpack('=L', socket.inet_aton(ip))[0]
     netaddr, bits = net.split('/')
 -    netmask = struct.unpack('=L', socket.inet_aton(dotted_netmask(int(bits))))[0]
 -    network = struct.unpack('=L', socket.inet_aton(netaddr))[0] & netmask
 +    if is_ipv4_address(ip) and is_ipv4_address(netaddr):
 +        ipaddr = struct.unpack(">L", socket.inet_aton(ip))[0]
 +        netmask = _get_mask_bits(int(bits))
 +        network = struct.unpack(">L", socket.inet_aton(netaddr))[0]
 +    elif is_ipv6_address(ip) and is_ipv6_address(netaddr):
 +        ipaddr_msb, ipaddr_lsb = struct.unpack(
 +            ">QQ", socket.inet_pton(socket.AF_INET6, ip)
 +        )
 +        ipaddr = (ipaddr_msb << 64) ^ ipaddr_lsb
 +        netmask = _get_mask_bits(int(bits), 128)
 +        network_msb, network_lsb = struct.unpack(
 +            ">QQ", socket.inet_pton(socket.AF_INET6, netaddr)
 +        )
 +        network = (network_msb << 64) ^ network_lsb
 +    else:
 +        return False
     return (ipaddr & netmask) == (network & netmask)
@@ -654,12 +682,39 @@ def is_ipv4_address(string_ip):
     :rtype: bool
     """
     try:
 -        socket.inet_aton(string_ip)
 +        socket.inet_pton(socket.AF_INET, string_ip)
 +    except socket.error:
 +        return False
 +    return True
 +
 +
 +def is_ipv6_address(string_ip):
 +    """
 +    :rtype: bool
 +    """
 +    try:
 +        socket.inet_pton(socket.AF_INET6, string_ip)
     except socket.error:
         return False
     return True
 +def compare_ips(a, b):
 +    """
 +    Compare 2 IP's, uses socket.inet_pton to normalize IPv6 IPs
 +
 +    :rtype: bool
 +    """
 +    if a == b:
 +        return True
 +    try:
 +        return socket.inet_pton(socket.AF_INET6, a) == socket.inet_pton(
 +            socket.AF_INET6, b
 +        )
 +    except OSError:
 +        return False
 +
 +
 def is_valid_cidr(string_network):
     """
     Very simple check of the cidr format in no_proxy variable.
@@ -667,17 +722,19 @@ def is_valid_cidr(string_network):
     :rtype: bool
     """
     if string_network.count('/') == 1:
 +        address, mask = string_network.split("/")
         try:
 -            mask = int(string_network.split('/')[1])
 +            mask = int(mask)
         except ValueError:
             return False
 -        if mask < 1 or mask > 32:
 -            return False
 -
 -        try:
 -            socket.inet_aton(string_network.split('/')[0])
 -        except socket.error:
 +        if is_ipv4_address(address):
 +            if mask < 1 or mask > 32:
 +                return False
 +        elif is_ipv6_address(address):
 +            if mask < 1 or mask > 128:
 +                return False
 +        else:
             return False
     else:
         return False
@@ -734,12 +791,12 @@ def should_bypass_proxies(url, no_proxy):
             host for host in no_proxy.replace(' ', '').split(',') if host
         )
 -        if is_ipv4_address(parsed.hostname):
 +        if is_ipv4_address(parsed.hostname) or is_ipv6_address(parsed.hostname):
             for proxy_ip in no_proxy:
                 if is_valid_cidr(proxy_ip):
                     if address_in_network(parsed.hostname, proxy_ip):
                         return True
 -                elif parsed.hostname == proxy_ip:
 +                elif compare_ips(parsed.hostname, proxy_ip):
                     # If no_proxy ip was defined in plain IP notation instead of cidr notation &
                     # matches the IP of the index
                     return True
 diff --git a/tests/test_utils.py b/tests/test_utils.py
 index 463516b..4ce139a 100644
 --- a/tests/test_utils.py
 +++ b/tests/test_utils.py
@@ -21,7 +21,7 @@ from requests.utils import (
     requote_uri, select_proxy, should_bypass_proxies, super_len,
     to_key_val_list, to_native_string,
     unquote_header_value, unquote_unreserved,
 -    urldefragauth, add_dict_to_cookiejar, set_environ)
 +    urldefragauth, add_dict_to_cookiejar, set_environ, _get_mask_bits, compare_ips)
 from requests._internal_utils import unicode_is_ascii
 from .compat import StringIO, cStringIO
@@ -215,9 +215,15 @@ class TestIsIPv4Address:
 class TestIsValidCIDR:
 -
 -    def test_valid(self):
 -        assert is_valid_cidr('192.168.1.0/24')
 +    @pytest.mark.parametrize(
 +        "value",
 +        (
 +            "192.168.1.0/24",
 +            "1:2:3:4::/64",
 +        ),
 +    )
 +    def test_valid(self, value):
 +        assert is_valid_cidr(value)
     @pytest.mark.parametrize(
         'value', (
@@ -226,6 +232,11 @@ class TestIsValidCIDR:
             '192.168.1.0/128',
             '192.168.1.0/-1',
             '192.168.1.999/24',
 +            "1:2:3:4::1",
 +            "1:2:3:4::/a",
 +            "1:2:3:4::0/321",
 +            "1:2:3:4::/-1",
 +            "1:2:3:4::12211/64",
         ))
     def test_invalid(self, value):
         assert not is_valid_cidr(value)
@@ -239,6 +250,12 @@ class TestAddressInNetwork:
     def test_invalid(self):
         assert not address_in_network('172.16.0.1', '192.168.1.0/24')
 +    def test_valid_v6(self):
 +        assert address_in_network("1:2:3:4::1111", "1:2:3:4::/64")
 +
 +    def test_invalid_v6(self):
 +        assert not address_in_network("1:2:3:4:1111", "1:2:3:4::/124")
 +
 class TestGuessFilename:
@@ -624,13 +641,18 @@ def test_urldefragauth(url, expected):
             ('http://172.16.1.12:5000/', False),
             ('http://google.com:5000/v1.0/', False),
             ('file:///some/path/on/disk', True),
 +            ("http://[1:2:3:4:5:6:7:8]:5000/", True),
 +            ("http://[1:2:3:4::1]/", True),
 +            ("http://[1:2:3:9::1]/", True),
 +            ("http://[1:2:3:9:0:0:0:1]/", True),
 +            ("http://[1:2:3:9::2]/", False),
     ))
 def test_should_bypass_proxies(url, expected, monkeypatch):
     """Tests for function should_bypass_proxies to check if proxy
     can be bypassed or not
     """
 -    monkeypatch.setenv('no_proxy', '192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000')
 -    monkeypatch.setenv('NO_PROXY', '192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000')
 +    monkeypatch.setenv('no_proxy', '192.168.0.0/24,127.0.0.1,localhost.localdomain,1:2:3:4::/64,1:2:3:9::1,172.16.1.1, google.com:6000')
 +    monkeypatch.setenv('NO_PROXY', '192.168.0.0/24,127.0.0.1,localhost.localdomain,1:2:3:4::/64,1:2:3:9::1,172.16.1.1, google.com:6000')
     assert should_bypass_proxies(url, no_proxy=None) == expected
@@ -781,3 +803,36 @@ def test_set_environ_raises_exception():
             raise Exception('Expected exception')
     assert 'Expected exception' in str(exception.value)
 +
 +
 +@pytest.mark.parametrize(
 +    "mask, totalbits, maskbits",
 +    (
 +        (24, None, 0xFFFFFF00),
 +        (31, None, 0xFFFFFFFE),
 +        (0, None, 0x0),
 +        (4, 4, 0xF),
 +        (24, 128, 0xFFFFFF00000000000000000000000000),
 +    ),
 +)
 +def test__get_mask_bits(mask, totalbits, maskbits):
 +    args = {"mask": mask}
 +    if totalbits:
 +        args["totalbits"] = totalbits
 +    assert _get_mask_bits(**args) == maskbits
 +
 +
 +@pytest.mark.parametrize(
 +    "a, b, expected",
 +    (
 +        ("1.2.3.4", "1.2.3.4", True),
 +        ("1.2.3.4", "2.2.3.4", False),
 +        ("1::4", "1.2.3.4", False),
 +        ("1::4", "1::4", True),
 +        ("1::4", "1:0:0:0:0:0:0:4", True),
 +        ("1::4", "1:0:0:0:0:0::4", True),
 +        ("1::4", "1:0:0:0:0:0:1:4", False),
 +    ),
 +)
 +def test_compare_ips(a, b, expected):
 +    assert compare_ips(a, b) == expected
 -- 
 2.43.0
--- a/SPECS/python-requests.spec
+++ b/SPECS/python-requests.spec
@ -1,9 +1,11 @@
-%bcond_without tests
+# Disable tests on RHEL9 as to not pull in the test dependencies
-%bcond_without python3
+# Specify --with tests to run the tests e.g. on EPEL
 %bcond_with tests
 Name:           python-requests
-Version:        2.20.0
+Version:        2.25.1
-Release:        3%{?dist}
+Release:        8%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 License:        ASL 2.0
@ -23,19 +25,32 @@ Patch2:         Remove-tests-that-use-the-tarpit.patch
 # a pretty odd one so this is a niche requirement.
 Patch3:         requests-2.12.4-tests_nonet.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1567862
+# The [security] extra as present in upstream 2.25.1 is not possible,
-Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
+# because the PyOpenSSL package is not part of RHEL 9.
 # We backport a pre-2.26.0 commit that makes request[security] a no-op:
 #   https://github.com/psf/requests/pull/5867
 # """
 # We initially removed default support for PyOpenSSL in Requests 2.24.0
 # as it is now considered less secure. Deprecation of the extras_require was
 # announced in Requests 2.25.0 and we're officially removing the extras_require
 # functionality in Requests 2.26.0.
 # Projects currently using requests[security] after this change will continue
 # to operate as if performing a standard requests installation (secure by default).
 # """
 Patch4:         Empty-security-extras.patch
-# Skip all tests needing httpbin
+# Security fix for CVE-2023-32681
-#   httpbin has too many dependencies to be shipped in RHEL just for
+# Unintended leak of Proxy-Authorization header
-#   build-time package tests
+# Resolved upstream: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
-Patch5:         Skip-all-tests-needing-httpbin.patch
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2209469
 Patch5:         CVE-2023-32681.patch
-# Properly handle default ports when stripping the authorization header.
+# Add support for IPv6 CIDR in no_proxy setting
-# This fixes a regression introduced with fixing CVE-2018-18074.
+# This functionality is needed in Openshift and it has been
-# Fixed upstream: https://github.com/psf/requests/pull/4851
+# proposed for upstream in 2021 but the PR unfortunately stalled.
-# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762422
+# Issue: https://issues.redhat.com/browse/RHEL-17548
-Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+# Upstream PR: https://github.com/psf/requests/pull/5953
 Patch6:         support_IPv6_CIDR_in_no_proxy.patch
 BuildArch:      noarch
@ -45,54 +60,20 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 %package -n python2-requests
 Summary: HTTP library, written in Python, for human beings
 %{?python_provide:%python_provide python2-requests}
 BuildRequires:  python2-devel
 BuildRequires:  python2-chardet
 BuildRequires:  python2-urllib3
 BuildRequires:  python2-idna
 %if %{with tests}
 BuildRequires:  python2-pytest
 BuildRequires:  python2-pytest-mock
 %endif
 Requires:       ca-certificates
 Requires:       python2-chardet
 Requires:       python2-urllib3
 Requires:       python2-idna
 %if 0%{?rhel} && 0%{?rhel} <= 6
 BuildRequires:  python-ordereddict
 Requires:       python-ordereddict
 %endif
 %description -n python2-requests
 Most existing Python modules for sending HTTP requests are extremely verbose and
 cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 %if %{with python3}
 %package -n python%{python3_pkgversion}-requests
 Summary: HTTP library, written in Python, for human beings
 %{?python_provide:%python_provide python%{python3_pkgversion}-requests}
 BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-chardet
+BuildRequires:  pyproject-rpm-macros
-BuildRequires:  python%{python3_pkgversion}-urllib3
+
 BuildRequires:  python%{python3_pkgversion}-idna
 %if %{with tests}
-BuildRequires:  python%{python3_pkgversion}-pytest
+BuildRequires:  python3dist(pytest)
-BuildRequires:  python%{python3_pkgversion}-pytest-mock
+BuildRequires:  python3dist(pytest-httpbin)
 BuildRequires:  python3dist(pytest-mock)
 %endif
 Requires:       python%{python3_pkgversion}-chardet
 Requires:       python%{python3_pkgversion}-urllib3
 Requires:       python%{python3_pkgversion}-idna
 %description -n python%{python3_pkgversion}-requests
 Most existing Python modules for sending HTTP requests are extremely verbose and
@ -100,8 +81,16 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 %pyproject_extras_subpkg -n python%{python3_pkgversion}-requests security socks
 %generate_buildrequires
 %if %{with tests}
 %pyproject_buildrequires -r
 %else
 %pyproject_buildrequires
 %endif
 %prep
 %autosetup -p1 -n requests-%{version}
@ -111,78 +100,157 @@ rm -rf requests/cacert.pem
 # env shebang in nonexecutable file
 sed -i '/#!\/usr\/.*python/d' requests/certs.py
 # Some doctests use the internet and fail to pass in Koji. Since doctests don't have names, I don't
 # know a way to skip them. We also don't want to patch them out, because patching them out will
 # change the docs. Thus, we set pytest not to run doctests at all.
 sed -i 's/ --doctest-modules//' pytest.ini
 %build
-%py2_build
+%pyproject_wheel
-%if %{with python3}
+
 %py3_build
 %endif
 %install
-%py2_install
+%pyproject_install
-%if %{with python3}
+%pyproject_save_files requests
-%py3_install
+
 %endif
 %if %{with tests}
 %check
-PYTHONPATH=%{buildroot}%{python2_sitelib} %{__python2} -m pytest -v
+# test_https_warnings: https://github.com/psf/requests/issues/5530
-%if %{with python3}
+%pytest -v -k "not test_https_warnings"
 PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
 %endif
 %endif # tests
-%files -n python2-requests
+%files -n python%{python3_pkgversion}-requests -f %{pyproject_files}
 %license LICENSE
 %doc README.md HISTORY.md
 %{python2_sitelib}/*.egg-info
 %{python2_sitelib}/requests/
 %if %{with python3}
 %files -n python%{python3_pkgversion}-requests
 %license LICENSE
 %doc README.md HISTORY.md
 %{python3_sitelib}/*.egg-info
 %{python3_sitelib}/requests/
 %endif
 %changelog
-* Fri Nov 1 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-3
+* Tue Jan 02 2024 Lumír Balhar <lbalhar@redhat.com> - 2.25.1-8
- Properly handle default ports when stripping the authorization header
+- Add support for IPv6 CIDR in no_proxy setting
-Resolves: rhbz#1762422
+Resolves: RHEL-17548
-* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 2.20.0-2
+* Fri Jun 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-7
- Bumping due to problems with modular RPM upgrade path
+- Security fix for CVE-2023-32681
- Resolves: rhbz#1695587
+Resolves: rhbz#2209469
 * Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 2.25.1-6
 - Add automatically generated Obsoletes tag with the python39- prefix
  for smoother upgrade from RHEL8
 - Related: rhbz#1990421
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Thu Jul 15 2021 Miro Hrončok <mhroncok@redhat.com> - 2.25.1-4
 - Make requests[security] extras a no-op (backported from future 2.26.0)
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-2
 - Disable tests on RHEL9 to avoid pulling in the test dependencies
 * Tue Feb 02 2021 Kevin Fenzi <kevin@scrye.com> - 2.25.1-1
 - Update 2.25.1. Fix is rhbz#1908487
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.25.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Wed Nov 25 2020 Petr Viktorin <pviktori@redhat.com> - 2.25.0-1
 - Update to 2.25.0
 * Fri Nov 13 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-5
 - Don't BR pytest-cov
 * Fri Sep 18 2020 Petr Viktorin <pviktori@redhat.com> - 2.24.0-4
 - Port to pyproject macros
 * Fri Sep 18 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-3
 - Build with pytest 6, older version is no longer required
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.24.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Fri Jul 10 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-1
 - Update to 2.24.0
 - Resolves rhbz#1848104
 * Fri Jul 10 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-5
 - Add requests[security] and requests[socks] subpackages
 * Sat May 30 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-4
 - Test with pytest 4, drop manual requires
 * Mon May 25 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-3
 - Rebuilt for Python 3.9
 * Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-2
 - Bootstrap for Python 3.9
 * Fri Feb 21 2020 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.23.0-1
 - Update to 2.23.0 (#1804863).
 - https://requests.readthedocs.io/en/latest/community/updates/
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Oct 22 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.22.0-7
 - Remove the python2 subpackage (rhbz#1761787)
 * Wed Sep 18 2019 Petr Viktorin <pviktori@redhat.com> - 2.22.0-6
 - Python 2: Remove tests and test dependencies
 * Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-5
 - Rebuilt for Python 3.8
 * Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-4
 - Bootstrap for Python 3.8
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jun 11 2019 Yatin Karel <ykarel@redhat.com> - 2.22.0-2
 - Add minimum requirement for chardet and urllib3
 * Thu May 23 2019 Jeremy Cline <jcline@redhat.com> - 2.22.0-1
 - Update to v2.22.0
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.21.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Thu Dec 13 2018 Jeremy Cline <jeremy@jcline.org> - 2.21.0-1
 - Update to v2.21.0
 - Don't rely on certifi being patched properly to use the system CA bundle
 * Mon Nov 26 2018 Miro Hrončok <mhroncok@redhat.com> - 2.20.0-2
 - No pytest-httpbin for Python 2
 * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
- Update to v2.20.0 for CVE-2018-18074.
+- Update to v2.20.0
-* Tue Jul 31 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-5
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.19.1-3
- Make possible to disable python3 subpackage
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-* Mon Jul 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-4
+* Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.1-2
- First version for python27 module
+- Rebuilt for Python 3.7
-* Thu Jun 21 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-3
+* Thu Jun 14 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
 - Allow build with Python 2
 * Tue Jun 19 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.19.1-2
 - Remove the python-pytest-cov dependency
 * Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
 - Update to v2.19.1 (rhbz 1591531)
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
+* Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.0-2
 - Bootstrap for Python 3.7
 * Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
 - Update to v2.19.0 (rhbz 1590508)
-* Wed Jun 13 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-6
+* Fri Jun 08 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-6
- Skip all tests needing httpbin: httpbin has too many dependencies to be
+- Don't print runtime warning about urllib3 v1.23 (rhbz 1589306)
  shipped in RHEL just for build-time package tests
-* Tue Jun 12 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-5
+* Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-5
- BR idna, or the tests fail to start
+- Allow urllib3 v1.23 (rhbz 1586311)
 * Mon Apr 16 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-4
 - Stop injecting PyOpenSSL (rhbz 1567862)
`@ -1 +1 @@`
	`SOURCES/requests-v2.20.0.tar.gz`	`SOURCES/requests-v2.25.1.tar.gz`
`@ -1 +1 @@`
	`2c0728fc3aca17419b2b574341a0b019e117d4f5 SOURCES/requests-v2.20.0.tar.gz`	`804fdbaf3dbc57f49a66cef920e9d4a5ce3460eb SOURCES/requests-v2.25.1.tar.gz`