rpms/python-urllib3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-urllib3-1.24.2-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:36:18 -04:00 committed by Andrew Lukoshko
parent 69917ef57d
commit b6ed8d4e4e
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
SOURCES/CVE-2020-26137.patch Normal file
View File

@ -0,0 +1,37 @@
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
index 02b3665..1ab1890 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -1,4 +1,5 @@
from __future__ import absolute_import
+import re
import datetime
import logging
import os
@@ -61,6 +62,8 @@ port_by_scheme = {
# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)
RECENT_DATE = datetime.date(2017, 6, 30)
+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
+
class DummyConnection(object):
"""Used to detect a failed ConnectionCls import."""
@@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object):
conn = self._new_conn()
self._prepare_conn(conn)
+ def putrequest(self, method, url, *args, **kwargs):
+ """Send a request to the server"""
+ match = _CONTAINS_CONTROL_CHAR_RE.search(method)
+ if match:
+ raise ValueError(
+ "Method cannot contain non-token characters %r (found at least %r)"
+ % (method, match.group())
+ )
+
+ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
+
def request_chunked(self, method, url, body=None, headers=None):
"""
Alternative to the common request method, which sends the

13
SPECS/python-urllib3.spec
View File

@ -2,7 +2,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 1.24.2 Version: 1.24.2
Release: 4%{?dist} Release: 5%{?dist}
Summary: Python HTTP library with thread-safe connection pooling and file post Summary: Python HTTP library with thread-safe connection pooling and file post
License: MIT License: MIT
@ -21,11 +21,17 @@ BuildArch: noarch
# - Superfluous commits were omitted (flake8 checks, travis settings, macos patch) # - Superfluous commits were omitted (flake8 checks, travis settings, macos patch)
# * https://github.com/urllib3/urllib3/pull/1593 # * https://github.com/urllib3/urllib3/pull/1593
Patch1: CVE-2019-11236.patch Patch1: CVE-2019-11236.patch
# Enable post-handshake authentication for TLS 1.3 # Enable post-handshake authentication for TLS 1.3
# - https://github.com/urllib3/urllib3/issues/1634 # - https://github.com/urllib3/urllib3/issues/1634
# - https://bugzilla.redhat.com/show_bug.cgi?id=1726743 # - https://bugzilla.redhat.com/show_bug.cgi?id=1726743
Patch2: Enable_TLS_1.3_post-handshake_authentication.patch Patch2: Enable_TLS_1.3_post-handshake_authentication.patch
# CVE-2020-26137
# CRLF injection via HTTP request method
# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800
Patch3: CVE-2020-26137.patch
%description %description
Python HTTP module with connection pooling and file POST abilities. Python HTTP module with connection pooling and file POST abilities.
@ -54,6 +60,7 @@ Python3 HTTP module with connection pooling and file POST abilities.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
@ -129,6 +136,10 @@ popd
%changelog %changelog
* Mon Nov 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-5
- Security fix for CVE-2020-26137
Resolves: rhbz#1883889
* Wed Oct 30 2019 Anna Khaitovich <akhaitov@redhat.com> - 1.24.2-4 * Wed Oct 30 2019 Anna Khaitovich <akhaitov@redhat.com> - 1.24.2-4
- Update RECENT_DATE dynamically - Update RECENT_DATE dynamically
Resolves: rhbz#1761380 Resolves: rhbz#1761380