SOURCES/properly-handle-default-ports-in-auth-stripping.patch

@@ -0,0 +1,67 @@
+diff --git a/requests/sessions.py b/requests/sessions.py
+index a448bd8..d73d700 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -19,7 +19,7 @@ from .cookies import (
+ from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
+ from .hooks import default_hooks, dispatch_hook
+ from ._internal_utils import to_native_string
+-from .utils import to_key_val_list, default_headers
++from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
+ from .exceptions import (
+     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
+ 
+@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
+         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
+                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
+             return False
++
++        # Handle default port usage corresponding to scheme.
++        changed_port = old_parsed.port != new_parsed.port
++        changed_scheme = old_parsed.scheme != new_parsed.scheme
++        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
++        if (not changed_scheme and old_parsed.port in default_port
++                and new_parsed.port in default_port):
++            return False
++
+         # Standard case: root URI must match
+-        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
++        return changed_port or changed_scheme
+ 
+     def resolve_redirects(self, resp, req, stream=False, timeout=None,
+                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+diff --git a/requests/utils.py b/requests/utils.py
+index 0ce7fe1..04145c8 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
+ 
+ DEFAULT_CA_BUNDLE_PATH = certs.where()
+ 
++DEFAULT_PORTS = {'http': 80, 'https': 443}
++
+ 
+ if sys.platform == 'win32':
+     # provide a proxy_bypass version on Windows without DNS lookups
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index f46561e..f99fdaf 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -1611,6 +1611,17 @@ class TestRequests:
+         s = requests.Session()
+         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
+ 
++    @pytest.mark.parametrize(
++        'old_uri, new_uri', (
++            ('https://example.com:443/foo', 'https://example.com/bar'),
++            ('http://example.com:80/foo', 'http://example.com/bar'),
++            ('https://example.com/foo', 'https://example.com:443/bar'),
++            ('http://example.com/foo', 'http://example.com:80/bar')
++        ))
++    def test_should_strip_auth_default_port(self, old_uri, new_uri):
++        s = requests.Session()
++        assert not s.should_strip_auth(old_uri, new_uri)
++
+     def test_manual_redirect_with_partial_body_read(self, httpbin):
+         s = requests.Session()
+         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)

SPECS/python-requests.spec

@@ -1,16 +1,9 @@
-%if 0%{?_module_build}
-# Don't run tests on module-build for now
-# See: https://bugzilla.redhat.com/show_bug.cgi?id=1450608
-%bcond_with tests
-%else
-# When bootstrapping Python, we cannot test this yet
 %bcond_without tests
-%endif
-
+%bcond_without python3
 
 Name:           python-requests
 Version:        2.20.0
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 
 License:        ASL 2.0
@@ -38,6 +31,12 @@ Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
 #   build-time package tests
 Patch5:         Skip-all-tests-needing-httpbin.patch
 
+# Properly handle default ports when stripping the authorization header.
+# This fixes a regression introduced with fixing CVE-2018-18074.
+# Fixed upstream: https://github.com/psf/requests/pull/4851
+# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762422
+Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+
 BuildArch:      noarch
 
 %description
@@ -46,6 +45,37 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
+%package -n python2-requests
+Summary: HTTP library, written in Python, for human beings
+%{?python_provide:%python_provide python2-requests}
+
+BuildRequires:  python2-devel
+BuildRequires:  python2-chardet
+BuildRequires:  python2-urllib3
+BuildRequires:  python2-idna
+%if %{with tests}
+BuildRequires:  python2-pytest
+BuildRequires:  python2-pytest-mock
+%endif
+
+
+Requires:       ca-certificates
+Requires:       python2-chardet
+Requires:       python2-urllib3
+Requires:       python2-idna
+
+%if 0%{?rhel} && 0%{?rhel} <= 6
+BuildRequires:  python-ordereddict
+Requires:       python-ordereddict
+%endif
+
+%description -n python2-requests
+Most existing Python modules for sending HTTP requests are extremely verbose and
+cumbersome. Python’s built-in urllib2 module provides most of the HTTP
+capabilities you should need, but the API is thoroughly broken. This library is
+designed to make HTTP requests easy for developers.
+
+%if %{with python3}
 %package -n python%{python3_pkgversion}-requests
 Summary: HTTP library, written in Python, for human beings
 
@@ -70,6 +100,8 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
+%endif
+
 %prep
 %autosetup -p1 -n requests-%{version}
 
@@ -80,32 +112,58 @@ rm -rf requests/cacert.pem
 sed -i '/#!\/usr\/.*python/d' requests/certs.py
 
 %build
+%py2_build
+%if %{with python3}
 %py3_build
-
+%endif
 
 %install
+%py2_install
+%if %{with python3}
 %py3_install
-
+%endif
 
 %if %{with tests}
 %check
+PYTHONPATH=%{buildroot}%{python2_sitelib} %{__python2} -m pytest -v
+%if %{with python3}
 PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
+%endif
 %endif # tests
 
+
+%files -n python2-requests
+%license LICENSE
+%doc README.md HISTORY.md
+%{python2_sitelib}/*.egg-info
+%{python2_sitelib}/requests/
+
+%if %{with python3}
 %files -n python%{python3_pkgversion}-requests
 %license LICENSE
 %doc README.md HISTORY.md
 %{python3_sitelib}/*.egg-info
 %{python3_sitelib}/requests/
+%endif
 
 
 %changelog
+* Fri Nov 1 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-3
+- Properly handle default ports when stripping the authorization header
+Resolves: rhbz#1762422
+
+* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 2.20.0-2
+- Bumping due to problems with modular RPM upgrade path
+- Resolves: rhbz#1695587
+
 * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
 - Update to v2.20.0 for CVE-2018-18074.
 
-* Wed Jul 11 2018 Petr Viktorin <pviktori@redhat.com> - 2.19.1-4
-- Remove the Python 2 subpackage
-  https://bugzilla.redhat.com/show_bug.cgi?id=1590396
+* Tue Jul 31 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-5
+- Make possible to disable python3 subpackage
+
+* Mon Jul 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-4
+- First version for python27 module
 
 * Thu Jun 21 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-3
 - Allow build with Python 2