import python-urllib3-1.24.2-3.module+el8.4.0+9193+f3daf6ef
This commit is contained in:
commit
b7c26a0eab
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/urllib3-1.24.2.tar.gz
|
1
.python-urllib3.metadata
Normal file
1
.python-urllib3.metadata
Normal file
@ -0,0 +1 @@
|
||||
02f5f10287e42a0e9d8666bbec9c51c4aec5bfc7 SOURCES/urllib3-1.24.2.tar.gz
|
162
SOURCES/CVE-2019-11236.patch
Normal file
162
SOURCES/CVE-2019-11236.patch
Normal file
@ -0,0 +1,162 @@
|
||||
From 9f6aa6b5f06ecfcfea2084d88f377c6e9dba5ce2 Mon Sep 17 00:00:00 2001
|
||||
From: Ryan Petrello <rpetrell@redhat.com>
|
||||
Date: Tue, 30 Apr 2019 12:36:48 -0400
|
||||
Subject: [PATCH 1/3] prevent CVE-2019-9740 in 1.24.x
|
||||
|
||||
adapted from https://github.com/python/cpython/pull/12755
|
||||
---
|
||||
test/test_util.py | 5 +++++
|
||||
src/urllib3/util/url.py | 8 ++++++++
|
||||
2 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/test/test_util.py b/test/test_util.py
|
||||
index 73d9452..dc6ffd0 100644
|
||||
--- a/test/test_util.py
|
||||
+++ b/test/test_util.py
|
||||
@@ -200,6 +200,11 @@ class TestUtil(object):
|
||||
with pytest.raises(ValueError):
|
||||
parse_url('[::1')
|
||||
|
||||
+ def test_parse_url_contains_control_characters(self):
|
||||
+ # see CVE-2019-9740
|
||||
+ with pytest.raises(LocationParseError):
|
||||
+ parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
|
||||
+
|
||||
def test_Url_str(self):
|
||||
U = Url('http', host='google.com')
|
||||
assert str(U) == U.url
|
||||
diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
|
||||
index 6b6f996..e8e1bd7 100644
|
||||
--- a/src/urllib3/util/url.py
|
||||
+++ b/src/urllib3/util/url.py
|
||||
@@ -1,5 +1,6 @@
|
||||
from __future__ import absolute_import
|
||||
from collections import namedtuple
|
||||
+import re
|
||||
|
||||
from ..exceptions import LocationParseError
|
||||
|
||||
@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
|
||||
# urllib3 infers URLs without a scheme (None) to be http.
|
||||
NORMALIZABLE_SCHEMES = ('http', 'https', None)
|
||||
|
||||
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
|
||||
+
|
||||
|
||||
class Url(namedtuple('Url', url_attrs)):
|
||||
"""
|
||||
@@ -155,6 +158,11 @@ def parse_url(url):
|
||||
# Empty
|
||||
return Url()
|
||||
|
||||
+ # Prevent CVE-2019-9740.
|
||||
+ # adapted from https://github.com/python/cpython/pull/12755
|
||||
+ if _contains_disallowed_url_pchar_re.search(url):
|
||||
+ raise LocationParseError("URL can't contain control characters. {!r}".format(url))
|
||||
+
|
||||
scheme = None
|
||||
auth = None
|
||||
host = None
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From ecc15bd412354ad916712113b0e426f8bc6cf52d Mon Sep 17 00:00:00 2001
|
||||
From: Ryan Petrello <lists@ryanpetrello.com>
|
||||
Date: Wed, 1 May 2019 16:46:44 -0400
|
||||
Subject: [PATCH 2/3] avoid CVE-2019-9740 by percent-encoding invalid path
|
||||
characters
|
||||
|
||||
this is to avoid breaking changes in downstream libraries like requests
|
||||
---
|
||||
test/test_util.py | 4 ++--
|
||||
src/urllib3/util/url.py | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/test/test_util.py b/test/test_util.py
|
||||
index dc6ffd0..d139329 100644
|
||||
--- a/test/test_util.py
|
||||
+++ b/test/test_util.py
|
||||
@@ -202,8 +202,8 @@ class TestUtil(object):
|
||||
|
||||
def test_parse_url_contains_control_characters(self):
|
||||
# see CVE-2019-9740
|
||||
- with pytest.raises(LocationParseError):
|
||||
- parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
|
||||
+ url = parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
|
||||
+ assert url.path == '/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:'
|
||||
|
||||
def test_Url_str(self):
|
||||
U = Url('http', host='google.com')
|
||||
diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
|
||||
index e8e1bd7..12b8d55 100644
|
||||
--- a/src/urllib3/util/url.py
|
||||
+++ b/src/urllib3/util/url.py
|
||||
@@ -3,6 +3,7 @@ from collections import namedtuple
|
||||
import re
|
||||
|
||||
from ..exceptions import LocationParseError
|
||||
+from ..packages.six.moves.urllib.parse import quote
|
||||
|
||||
|
||||
url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
|
||||
@@ -160,8 +161,7 @@ def parse_url(url):
|
||||
|
||||
# Prevent CVE-2019-9740.
|
||||
# adapted from https://github.com/python/cpython/pull/12755
|
||||
- if _contains_disallowed_url_pchar_re.search(url):
|
||||
- raise LocationParseError("URL can't contain control characters. {!r}".format(url))
|
||||
+ url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
|
||||
|
||||
scheme = None
|
||||
auth = None
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 6cda449df587fd37135ee76a9253dc8e12e53c05 Mon Sep 17 00:00:00 2001
|
||||
From: Seth Michael Larson <sethmichaellarson@gmail.com>
|
||||
Date: Thu, 2 May 2019 09:02:24 -0500
|
||||
Subject: [PATCH 3/3] Also test unicode and query
|
||||
|
||||
---
|
||||
test/test_util.py | 22 +++++++++++++++++++---
|
||||
1 file changed, 19 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/test/test_util.py b/test/test_util.py
|
||||
index d139329..fa53aaf 100644
|
||||
--- a/test/test_util.py
|
||||
+++ b/test/test_util.py
|
||||
@@ -200,10 +200,26 @@ class TestUtil(object):
|
||||
with pytest.raises(ValueError):
|
||||
parse_url('[::1')
|
||||
|
||||
- def test_parse_url_contains_control_characters(self):
|
||||
+ @pytest.mark.parametrize('url, expected_url', [
|
||||
+ (
|
||||
+ 'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
|
||||
+ Url('http', host='localhost', port=None,
|
||||
+ path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
|
||||
+ ),
|
||||
+ (
|
||||
+ u'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
|
||||
+ Url('http', host='localhost', port=None,
|
||||
+ path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
|
||||
+ ),
|
||||
+ (
|
||||
+ 'http://localhost/ ?q=\r\n',
|
||||
+ Url('http', host='localhost', path='/%20', query='q=%0D%0A')
|
||||
+ ),
|
||||
+ ])
|
||||
+ def test_parse_url_contains_control_characters(self, url, expected_url):
|
||||
# see CVE-2019-9740
|
||||
- url = parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
|
||||
- assert url.path == '/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:'
|
||||
+ url = parse_url(url)
|
||||
+ assert url == expected_url
|
||||
|
||||
def test_Url_str(self):
|
||||
U = Url('http', host='google.com')
|
||||
--
|
||||
2.20.1
|
||||
|
37
SOURCES/CVE-2020-26137.patch
Normal file
37
SOURCES/CVE-2020-26137.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
|
||||
index 02b3665..1ab1890 100644
|
||||
--- a/src/urllib3/connection.py
|
||||
+++ b/src/urllib3/connection.py
|
||||
@@ -1,4 +1,5 @@
|
||||
from __future__ import absolute_import
|
||||
+import re
|
||||
import datetime
|
||||
import logging
|
||||
import os
|
||||
@@ -61,6 +62,8 @@ port_by_scheme = {
|
||||
# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)
|
||||
RECENT_DATE = datetime.date(2017, 6, 30)
|
||||
|
||||
+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
|
||||
+
|
||||
|
||||
class DummyConnection(object):
|
||||
"""Used to detect a failed ConnectionCls import."""
|
||||
@@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object):
|
||||
conn = self._new_conn()
|
||||
self._prepare_conn(conn)
|
||||
|
||||
+ def putrequest(self, method, url, *args, **kwargs):
|
||||
+ """Send a request to the server"""
|
||||
+ match = _CONTAINS_CONTROL_CHAR_RE.search(method)
|
||||
+ if match:
|
||||
+ raise ValueError(
|
||||
+ "Method cannot contain non-token characters %r (found at least %r)"
|
||||
+ % (method, match.group())
|
||||
+ )
|
||||
+
|
||||
+ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
|
||||
+
|
||||
def request_chunked(self, method, url, body=None, headers=None):
|
||||
"""
|
||||
Alternative to the common request method, which sends the
|
1
SOURCES/ssl_match_hostname_py3.py
Normal file
1
SOURCES/ssl_match_hostname_py3.py
Normal file
@ -0,0 +1 @@
|
||||
from ssl import match_hostname, CertificateError
|
212
SPECS/python-urllib3.spec
Normal file
212
SPECS/python-urllib3.spec
Normal file
@ -0,0 +1,212 @@
|
||||
%bcond_with python3
|
||||
|
||||
%global srcname urllib3
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 1.24.2
|
||||
Release: 3%{?dist}
|
||||
Summary: Python HTTP library with thread-safe connection pooling and file post
|
||||
|
||||
License: MIT
|
||||
URL: https://github.com/shazow/urllib3
|
||||
Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
|
||||
# Used with Python 3.5+
|
||||
Source1: ssl_match_hostname_py3.py
|
||||
BuildArch: noarch
|
||||
|
||||
# CVE-2019-11236 python-urllib3:
|
||||
# - CRLF injection due to not encoding the '\r\n' sequence leading to
|
||||
# possible attack on internal service.
|
||||
# - Also known as CVE-2019-9740 (duplicate entry)
|
||||
# Backported from:
|
||||
# * https://github.com/urllib3/urllib3/pull/1591
|
||||
# - Superfluous commits were omitted (flake8 checks, travis settings, macos patch)
|
||||
# * https://github.com/urllib3/urllib3/pull/1593
|
||||
Patch1: CVE-2019-11236.patch
|
||||
|
||||
# CVE-2020-26137
|
||||
# CRLF injection via HTTP request method
|
||||
# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800
|
||||
Patch2: CVE-2020-26137.patch
|
||||
|
||||
|
||||
%description
|
||||
Python HTTP module with connection pooling and file POST abilities.
|
||||
|
||||
%package -n python2-%{srcname}
|
||||
Summary: Python2 HTTP library with thread-safe connection pooling and file post
|
||||
%{?python_provide:%python_provide python2-%{srcname}}
|
||||
|
||||
Requires: ca-certificates
|
||||
|
||||
# Previously bundled things:
|
||||
Requires: python2-six
|
||||
Requires: python2-backports-ssl_match_hostname
|
||||
|
||||
# Secure extra requirements
|
||||
Requires: python2-ipaddress
|
||||
Requires: python2-pysocks
|
||||
|
||||
BuildRequires: python2-devel
|
||||
|
||||
# For tests
|
||||
BuildRequires: python2-pytest
|
||||
BuildRequires: python2-mock
|
||||
BuildRequires: python2-pysocks
|
||||
BuildRequires: python2-backports-ssl_match_hostname
|
||||
|
||||
%description -n python2-%{srcname}
|
||||
Python2 HTTP module with connection pooling and file POST abilities.
|
||||
|
||||
|
||||
%if %{with python3}
|
||||
%package -n python3-%{srcname}
|
||||
Summary: Python3 HTTP library with thread-safe connection pooling and file post
|
||||
|
||||
BuildRequires: python3-devel
|
||||
# For unittests
|
||||
BuildRequires: python3-mock
|
||||
BuildRequires: python3-six
|
||||
BuildRequires: python3-pysocks
|
||||
BuildRequires: python3-pytest
|
||||
|
||||
Requires: ca-certificates
|
||||
Requires: python3-six
|
||||
Requires: python3-pysocks
|
||||
|
||||
%description -n python3-%{srcname}
|
||||
Python3 HTTP module with connection pooling and file POST abilities.
|
||||
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -n %{srcname}-%{version}
|
||||
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
# Drop the dummyserver tests in koji.
|
||||
# These require tornado, a Web framework otherwise unused in the distro.
|
||||
rm -rf test/with_dummyserver/
|
||||
rm -rf test/test_connectionpool.py
|
||||
rm -rf dummyserver/
|
||||
# Don't run the Google App Engine tests
|
||||
rm -rf test/appengine/
|
||||
# Lots of these tests started failing, even for old versions, so it has something
|
||||
# to do with Fedora in particular. They don't fail in upstream build infrastructure
|
||||
rm -rf test/contrib/
|
||||
|
||||
# Tests for Python built without SSL, but RHEL builds with SSL. These tests
|
||||
# fail when combined with the unbundling of backports-ssl_match_hostname
|
||||
rm -f test/test_no_ssl.py
|
||||
|
||||
# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
|
||||
# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
|
||||
# (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
|
||||
# since a user's system time could be set to a little in the past from what build time is (because of timezones,
|
||||
# corner cases, etc). As stated in the comment in src/urllib3/connection.py:
|
||||
# When updating RECENT_DATE, move it to within two years of the current date,
|
||||
# and not less than 6 months ago.
|
||||
# Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or
|
||||
# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)
|
||||
# There is also a test_ssl_wrong_system_time test (from test/with_dummyserver/test_https.py) that tests if
|
||||
# user's system time isn't set as too far in the past, because it could lead to SSL verification errors.
|
||||
# That is why we need RECENT_DATE to be set at most 2 years ago (or else test_ssl_wrong_system_time would
|
||||
# result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being
|
||||
# set to some time in the past, but not to far away from the present).
|
||||
# Next few lines update RECENT_DATE dynamically.
|
||||
|
||||
recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")
|
||||
sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py
|
||||
|
||||
|
||||
%build
|
||||
%py2_build
|
||||
%if %{with python3}
|
||||
%py3_build
|
||||
%endif
|
||||
|
||||
|
||||
%install
|
||||
%py2_install
|
||||
%if %{with python3}
|
||||
%py3_install
|
||||
%endif
|
||||
|
||||
# Unbundle the Python 2 build
|
||||
rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py*
|
||||
rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname/
|
||||
|
||||
mkdir -p %{buildroot}/%{python2_sitelib}/urllib3/packages/
|
||||
ln -s %{python2_sitelib}/six.py %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py
|
||||
ln -s %{python2_sitelib}/six.pyc %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyc
|
||||
ln -s %{python2_sitelib}/six.pyo %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyo
|
||||
|
||||
ln -s %{python2_sitelib}/backports/ssl_match_hostname %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname
|
||||
|
||||
%if %{with python3}
|
||||
# Unbundle the Python 3 build
|
||||
rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py*
|
||||
rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six*
|
||||
rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/
|
||||
|
||||
mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/
|
||||
ln -s %{python3_sitelib}/six.py \
|
||||
%{buildroot}/%{python3_sitelib}/urllib3/packages/six.py
|
||||
ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \
|
||||
%{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
|
||||
ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
|
||||
%{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
|
||||
# urllib3 requires Python 3.5 to use the standard library's match_hostname,
|
||||
# which we ship in RHEL8, so we can safely replace the bundled version with
|
||||
# this stub which imports the necessary objects.
|
||||
cp %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py
|
||||
%endif
|
||||
|
||||
%check
|
||||
pushd test
|
||||
PYTHONPATH=%{buildroot}%{python2_sitelib}:%{python2_sitelib} %{__python2} -m pytest -v
|
||||
popd
|
||||
%if %{with python3}
|
||||
py.test-3
|
||||
%endif
|
||||
|
||||
%files -n python2-%{srcname}
|
||||
%license LICENSE.txt
|
||||
%doc CHANGES.rst README.rst CONTRIBUTORS.txt
|
||||
%{python2_sitelib}/urllib3/
|
||||
%{python2_sitelib}/urllib3-*.egg-info
|
||||
|
||||
|
||||
%if %{with python3}
|
||||
%files -n python3-%{srcname}
|
||||
%license LICENSE.txt
|
||||
%doc CHANGES.rst README.rst CONTRIBUTORS.txt
|
||||
%{python3_sitelib}/urllib3/
|
||||
%{python3_sitelib}/urllib3-*.egg-info
|
||||
%endif
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 12 2020 Tomas Orsava <torsava@redhat.com> - 1.24.2-3
|
||||
- Update RECENT_DATE dynamically
|
||||
Related: rhbz#1883890 rhbz#1761380
|
||||
|
||||
* Fri Oct 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-2
|
||||
- Security fix for CVE-2020-26137
|
||||
Resolves: rhbz#1883890
|
||||
|
||||
* Fri May 03 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-1
|
||||
- Rebased to 1.24.2 to fix CVE-2019-11324
|
||||
- Added patches for CVE-2019-11236 (AKA CVE-2019-9740)
|
||||
- Resolves: rhbz#1706765 rhbz#1706762
|
||||
|
||||
* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 1.23-7
|
||||
- Bumping due to problems with modular RPM upgrade path
|
||||
- Resolves: rhbz#1695587
|
||||
|
||||
* Tue Jul 31 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-6
|
||||
- Make possible to disable python3 subpackage
|
||||
|
||||
* Mon Jul 16 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-5
|
||||
- First version for python27 module
|
Loading…
Reference in New Issue
Block a user