import python-urllib3-1.24.2-3.module+el8.4.0+9193+f3daf6ef
This commit is contained in:
parent
21a6f0e52b
commit
d9a4fb3e0c
37
SOURCES/CVE-2020-26137.patch
Normal file
37
SOURCES/CVE-2020-26137.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
|
||||||
|
index 02b3665..1ab1890 100644
|
||||||
|
--- a/src/urllib3/connection.py
|
||||||
|
+++ b/src/urllib3/connection.py
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
from __future__ import absolute_import
|
||||||
|
+import re
|
||||||
|
import datetime
|
||||||
|
import logging
|
||||||
|
import os
|
||||||
|
@@ -61,6 +62,8 @@ port_by_scheme = {
|
||||||
|
# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)
|
||||||
|
RECENT_DATE = datetime.date(2017, 6, 30)
|
||||||
|
|
||||||
|
+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
|
||||||
|
+
|
||||||
|
|
||||||
|
class DummyConnection(object):
|
||||||
|
"""Used to detect a failed ConnectionCls import."""
|
||||||
|
@@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object):
|
||||||
|
conn = self._new_conn()
|
||||||
|
self._prepare_conn(conn)
|
||||||
|
|
||||||
|
+ def putrequest(self, method, url, *args, **kwargs):
|
||||||
|
+ """Send a request to the server"""
|
||||||
|
+ match = _CONTAINS_CONTROL_CHAR_RE.search(method)
|
||||||
|
+ if match:
|
||||||
|
+ raise ValueError(
|
||||||
|
+ "Method cannot contain non-token characters %r (found at least %r)"
|
||||||
|
+ % (method, match.group())
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
|
||||||
|
+
|
||||||
|
def request_chunked(self, method, url, body=None, headers=None):
|
||||||
|
"""
|
||||||
|
Alternative to the common request method, which sends the
|
@ -1,10 +1,10 @@
|
|||||||
%bcond_without python3
|
%bcond_with python3
|
||||||
|
|
||||||
%global srcname urllib3
|
%global srcname urllib3
|
||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 1.24.2
|
Version: 1.24.2
|
||||||
Release: 1%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: Python HTTP library with thread-safe connection pooling and file post
|
Summary: Python HTTP library with thread-safe connection pooling and file post
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -24,6 +24,11 @@ BuildArch: noarch
|
|||||||
# * https://github.com/urllib3/urllib3/pull/1593
|
# * https://github.com/urllib3/urllib3/pull/1593
|
||||||
Patch1: CVE-2019-11236.patch
|
Patch1: CVE-2019-11236.patch
|
||||||
|
|
||||||
|
# CVE-2020-26137
|
||||||
|
# CRLF injection via HTTP request method
|
||||||
|
# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800
|
||||||
|
Patch2: CVE-2020-26137.patch
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Python HTTP module with connection pooling and file POST abilities.
|
Python HTTP module with connection pooling and file POST abilities.
|
||||||
@ -78,6 +83,7 @@ Python3 HTTP module with connection pooling and file POST abilities.
|
|||||||
%setup -q -n %{srcname}-%{version}
|
%setup -q -n %{srcname}-%{version}
|
||||||
|
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
# Drop the dummyserver tests in koji.
|
# Drop the dummyserver tests in koji.
|
||||||
# These require tornado, a Web framework otherwise unused in the distro.
|
# These require tornado, a Web framework otherwise unused in the distro.
|
||||||
@ -94,6 +100,26 @@ rm -rf test/contrib/
|
|||||||
# fail when combined with the unbundling of backports-ssl_match_hostname
|
# fail when combined with the unbundling of backports-ssl_match_hostname
|
||||||
rm -f test/test_no_ssl.py
|
rm -f test/test_no_ssl.py
|
||||||
|
|
||||||
|
# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
|
||||||
|
# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
|
||||||
|
# (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
|
||||||
|
# since a user's system time could be set to a little in the past from what build time is (because of timezones,
|
||||||
|
# corner cases, etc). As stated in the comment in src/urllib3/connection.py:
|
||||||
|
# When updating RECENT_DATE, move it to within two years of the current date,
|
||||||
|
# and not less than 6 months ago.
|
||||||
|
# Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or
|
||||||
|
# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)
|
||||||
|
# There is also a test_ssl_wrong_system_time test (from test/with_dummyserver/test_https.py) that tests if
|
||||||
|
# user's system time isn't set as too far in the past, because it could lead to SSL verification errors.
|
||||||
|
# That is why we need RECENT_DATE to be set at most 2 years ago (or else test_ssl_wrong_system_time would
|
||||||
|
# result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being
|
||||||
|
# set to some time in the past, but not to far away from the present).
|
||||||
|
# Next few lines update RECENT_DATE dynamically.
|
||||||
|
|
||||||
|
recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")
|
||||||
|
sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%py2_build
|
%py2_build
|
||||||
%if %{with python3}
|
%if %{with python3}
|
||||||
@ -162,6 +188,14 @@ py.test-3
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 12 2020 Tomas Orsava <torsava@redhat.com> - 1.24.2-3
|
||||||
|
- Update RECENT_DATE dynamically
|
||||||
|
Related: rhbz#1883890 rhbz#1761380
|
||||||
|
|
||||||
|
* Fri Oct 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-2
|
||||||
|
- Security fix for CVE-2020-26137
|
||||||
|
Resolves: rhbz#1883890
|
||||||
|
|
||||||
* Fri May 03 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-1
|
* Fri May 03 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-1
|
||||||
- Rebased to 1.24.2 to fix CVE-2019-11324
|
- Rebased to 1.24.2 to fix CVE-2019-11324
|
||||||
- Added patches for CVE-2019-11236 (AKA CVE-2019-9740)
|
- Added patches for CVE-2019-11236 (AKA CVE-2019-9740)
|
||||||
|
Loading…
Reference in New Issue
Block a user