From f93cd58d963534b052004fa9768499f9c5009276 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 1 Apr 2024 08:02:41 +0000
Subject: [PATCH] import CS python3.12-requests-2.28.2-2.el8

---
 .gitignore                     |   1 +
 .python3.12-requests.metadata  |   1 +
 SOURCES/CVE-2023-32681.patch   |  56 +++++++++++++++
 SOURCES/system-certs.patch     |  57 +++++++++++++++
 SPECS/python3.12-requests.spec | 122 +++++++++++++++++++++++++++++++++
 5 files changed, 237 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .python3.12-requests.metadata
 create mode 100644 SOURCES/CVE-2023-32681.patch
 create mode 100644 SOURCES/system-certs.patch
 create mode 100644 SPECS/python3.12-requests.spec

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d6ae80a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/requests-v2.28.2.tar.gz
diff --git a/.python3.12-requests.metadata b/.python3.12-requests.metadata
new file mode 100644
index 0000000..093faa1
--- /dev/null
+++ b/.python3.12-requests.metadata
@@ -0,0 +1 @@
+be6e9fd46e3003475b0b961be23b4b32f61c680f SOURCES/requests-v2.28.2.tar.gz
diff --git a/SOURCES/CVE-2023-32681.patch b/SOURCES/CVE-2023-32681.patch
new file mode 100644
index 0000000..2b4cd79
--- /dev/null
+++ b/SOURCES/CVE-2023-32681.patch
@@ -0,0 +1,56 @@
+From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ requests/sessions.py   |  4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 6cb3b4dae3..dbcf2a7b0e 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers["Proxy-Authorization"] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index b1c8dd4534..b420c44d73 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin):
+ 
+         assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
+ 
++
++    @pytest.mark.parametrize(
++        "url,has_proxy_auth",
++        (
++            ('http://example.com', True),
++            ('https://example.com', False),
++        ),
++    )
++    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++        session = requests.Session()
++        proxies = {
++            'http': 'http://test:pass@localhost:8080',
++            'https': 'http://test:pass@localhost:8090',
++        }
++        req = requests.Request('GET', url)
++        prep = req.prepare()
++        session.rebuild_proxies(prep, proxies)
++
++        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+     def test_basicauth_with_netrc(self, httpbin):
+         auth = ("user", "pass")
+         wrong_auth = ("wronguser", "wrongpass")
diff --git a/SOURCES/system-certs.patch b/SOURCES/system-certs.patch
new file mode 100644
index 0000000..1778958
--- /dev/null
+++ b/SOURCES/system-certs.patch
@@ -0,0 +1,57 @@
+From f21606c102368ad7a6e8bcab5a0c65dcddbbf9e5 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 19 Jan 2023 17:35:02 +0100
+Subject: [PATCH] system certs
+
+---
+ requests/certs.py | 7 ++++++-
+ setup.cfg         | 1 -
+ setup.py          | 1 -
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/requests/certs.py b/requests/certs.py
+index 1f30a45..9224f62 100644
+--- a/requests/certs.py
++++ b/requests/certs.py
+@@ -9,8 +9,13 @@ only one — the one from the certifi package.
+ If you are packaging Requests, e.g., for a Linux distribution or a managed
+ environment, you can change the definition of where() to return a separately
+ packaged CA bundle.
++
++This Fedora-patched package returns "/etc/pki/tls/certs/ca-bundle.crt" provided
++by the ca-certificates RPM package.
+ """
+-from certifi import where
++def where():
++    """Return the absolute path to the system CA bundle."""
++    return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ if __name__ == "__main__":
+     print(where())
+diff --git a/setup.cfg b/setup.cfg
+index bf21c81..906c0f1 100644
+--- a/setup.cfg
++++ b/setup.cfg
+@@ -4,7 +4,6 @@ provides-extra =
+     socks
+     use_chardet_on_py3
+ requires-dist =
+-    certifi>=2017.4.17
+     charset_normalizer>=2,<4
+     idna>=2.5,<4
+     urllib3>=1.21.1,<1.27
+diff --git a/setup.py b/setup.py
+index 092b40d..c6c0ad5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -62,7 +62,6 @@ requires = [
+     "charset_normalizer>=2,<4",
+     "idna>=2.5,<4",
+     "urllib3>=1.21.1,<1.27",
+-    "certifi>=2017.4.17",
+ ]
+ test_requirements = [
+     "pytest-httpbin==0.0.7",
+-- 
+2.39.0
+
diff --git a/SPECS/python3.12-requests.spec b/SPECS/python3.12-requests.spec
new file mode 100644
index 0000000..7eff523
--- /dev/null
+++ b/SPECS/python3.12-requests.spec
@@ -0,0 +1,122 @@
+%global __python3 /usr/bin/python3.12
+%global python3_pkgversion 3.12
+
+# When bootstrapping Python, we cannot test this yet
+# RHEL does not include the test dependencies
+%bcond_with tests
+# The extras are disabled on RHEL to avoid pysocks and deprecated requests[security]
+%bcond_with extras
+
+Name:           python%{python3_pkgversion}-requests
+Version:        2.28.2
+Release:        2%{?dist}
+Summary:        HTTP library, written in Python, for human beings
+
+License:        ASL 2.0
+URL:            https://pypi.io/project/requests
+Source:         https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz
+
+# Explicitly use the system certificates in ca-certificates.
+# https://bugzilla.redhat.com/show_bug.cgi?id=904614
+Patch0:         system-certs.patch
+
+# Security fix for CVE-2023-32681
+Patch1:         https://github.com/psf/requests/commit/74ea7cf7a6.patch#/CVE-2023-32681.patch
+
+BuildArch:      noarch
+BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  python%{python3_pkgversion}-rpm-macros
+BuildRequires:  python%{python3_pkgversion}-charset-normalizer
+BuildRequires:  python%{python3_pkgversion}-urllib3
+BuildRequires:  python%{python3_pkgversion}-idna
+BuildRequires:  python%{python3_pkgversion}-setuptools
+
+%if %{with tests}
+BuildRequires:  python%{python3_pkgversion}-pytest
+BuildRequires:  python%{python3_pkgversion}-pytest-httpbin
+BuildRequires:  python%{python3_pkgversion}-pytest-mock
+BuildRequires:  python%{python3_pkgversion}-trustme
+%endif
+
+Requires:  python%{python3_pkgversion}-charset-normalizer
+Requires:  python%{python3_pkgversion}-urllib3
+Requires:  python%{python3_pkgversion}-idna
+
+
+%description
+Most existing Python modules for sending HTTP requests are extremely verbose and
+cumbersome. Python’s built-in urllib2 module provides most of the HTTP
+capabilities you should need, but the API is thoroughly broken. This library is
+designed to make HTTP requests easy for developers.
+
+
+%if %{with extras}
+%python_extras_subpkg -n python%{python3_pkgversion}-requests -i %{python3_sitelib}/*.egg-info security socks
+%endif
+
+%prep
+%autosetup -p1 -n requests-%{version}
+
+# env shebang in nonexecutable file
+sed -i '/#!\/usr\/.*python/d' requests/certs.py
+
+# Some doctests use the internet and fail to pass in Koji. Since doctests don't have names, I don't
+# know a way to skip them. We also don't want to patch them out, because patching them out will
+# change the docs. Thus, we set pytest not to run doctests at all.
+sed -i 's/ --doctest-modules//' pyproject.toml
+
+
+%build
+%py3_build
+
+
+%install
+%py3_install
+
+
+%check
+%py3_check_import requests
+%if %{with tests}
+# test_use_proxy_from_environment needs pysocks
+%pytest -v %{!?with_extras:-k "not test_use_proxy_from_environment"}
+%endif
+
+
+%files -n python%{python3_pkgversion}-requests
+%license LICENSE
+%doc README.md HISTORY.md
+%{python3_sitelib}/*.egg-info/
+%{python3_sitelib}/requests/
+
+
+%changelog
+* Tue Jan 23 2024 Miro Hrončok <mhroncok@redhat.com> - 2.28.2-2
+- Rebuilt for timestamp .pyc invalidation mode
+
+* Thu Oct 19 2023 Tomáš Hrnčiar <thrnciar@redhat.com> - 2.28.2-1
+- Initial package
+- Fedora contributions by:
+      Adam Williamson <awilliam@redhat.com>
+      Arun SAG <sagarun@gmail.com>
+      Charalampos Stratakis <cstratak@redhat.com>
+      David Malcolm <dmalcolm@redhat.com>
+      Dennis Gilmore <dennis@ausil.us>
+      Igor Gnatenko <ignatenkobrain@fedoraproject.org>
+      Iryna Shcherbina <shcherbina.iryna@gmail.com>
+      Jeremy Cline <jeremy@jcline.org>
+      Karolina Surma <ksurma@redhat.com>
+      Kevin Fenzi <kevin@scrye.com>
+      Lumir Balhar <lbalhar@redhat.com>
+      Miro Hrončok <miro@hroncok.cz>
+      Petr Viktorin <pviktori@redhat.com>
+      Ralph Bean <rbean@redhat.com>
+      Randy Barlow <randy@electronsweatshop.com>
+      Rex Dieter <rdieter@math.unl.edu>
+      Robert Kuska <rkuska@redhat.com>
+      Slavek Kabrda <bkabrda@redhat.com>
+      Stephen Gallagher <sgallagh@redhat.com>
+      Tom Callaway <spot@fedoraproject.org>
+      Toshio Kuratomi <toshio@fedoraproject.org>
+      Yaakov Selkowitz <yselkowi@redhat.com>
+      yatinkarel <ykarel@redhat.com>
+