From f93cd58d963534b052004fa9768499f9c5009276 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 1 Apr 2024 08:02:41 +0000 Subject: [PATCH] import CS python3.12-requests-2.28.2-2.el8 --- .gitignore | 1 + .python3.12-requests.metadata | 1 + SOURCES/CVE-2023-32681.patch | 56 +++++++++++++++ SOURCES/system-certs.patch | 57 +++++++++++++++ SPECS/python3.12-requests.spec | 122 +++++++++++++++++++++++++++++++++ 5 files changed, 237 insertions(+) create mode 100644 .gitignore create mode 100644 .python3.12-requests.metadata create mode 100644 SOURCES/CVE-2023-32681.patch create mode 100644 SOURCES/system-certs.patch create mode 100644 SPECS/python3.12-requests.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d6ae80a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/requests-v2.28.2.tar.gz diff --git a/.python3.12-requests.metadata b/.python3.12-requests.metadata new file mode 100644 index 0000000..093faa1 --- /dev/null +++ b/.python3.12-requests.metadata @@ -0,0 +1 @@ +be6e9fd46e3003475b0b961be23b4b32f61c680f SOURCES/requests-v2.28.2.tar.gz diff --git a/SOURCES/CVE-2023-32681.patch b/SOURCES/CVE-2023-32681.patch new file mode 100644 index 0000000..2b4cd79 --- /dev/null +++ b/SOURCES/CVE-2023-32681.patch @@ -0,0 +1,56 @@ +From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Mon, 22 May 2023 08:08:57 -0700 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index 6cb3b4dae3..dbcf2a7b0e 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers["Proxy-Authorization"] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index b1c8dd4534..b420c44d73 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin): + + assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + ++ ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ("user", "pass") + wrong_auth = ("wronguser", "wrongpass") diff --git a/SOURCES/system-certs.patch b/SOURCES/system-certs.patch new file mode 100644 index 0000000..1778958 --- /dev/null +++ b/SOURCES/system-certs.patch @@ -0,0 +1,57 @@ +From f21606c102368ad7a6e8bcab5a0c65dcddbbf9e5 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Thu, 19 Jan 2023 17:35:02 +0100 +Subject: [PATCH] system certs + +--- + requests/certs.py | 7 ++++++- + setup.cfg | 1 - + setup.py | 1 - + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/requests/certs.py b/requests/certs.py +index 1f30a45..9224f62 100644 +--- a/requests/certs.py ++++ b/requests/certs.py +@@ -9,8 +9,13 @@ only one — the one from the certifi package. + If you are packaging Requests, e.g., for a Linux distribution or a managed + environment, you can change the definition of where() to return a separately + packaged CA bundle. ++ ++This Fedora-patched package returns "/etc/pki/tls/certs/ca-bundle.crt" provided ++by the ca-certificates RPM package. + """ +-from certifi import where ++def where(): ++ """Return the absolute path to the system CA bundle.""" ++ return '/etc/pki/tls/certs/ca-bundle.crt' + + if __name__ == "__main__": + print(where()) +diff --git a/setup.cfg b/setup.cfg +index bf21c81..906c0f1 100644 +--- a/setup.cfg ++++ b/setup.cfg +@@ -4,7 +4,6 @@ provides-extra = + socks + use_chardet_on_py3 + requires-dist = +- certifi>=2017.4.17 + charset_normalizer>=2,<4 + idna>=2.5,<4 + urllib3>=1.21.1,<1.27 +diff --git a/setup.py b/setup.py +index 092b40d..c6c0ad5 100755 +--- a/setup.py ++++ b/setup.py +@@ -62,7 +62,6 @@ requires = [ + "charset_normalizer>=2,<4", + "idna>=2.5,<4", + "urllib3>=1.21.1,<1.27", +- "certifi>=2017.4.17", + ] + test_requirements = [ + "pytest-httpbin==0.0.7", +-- +2.39.0 + diff --git a/SPECS/python3.12-requests.spec b/SPECS/python3.12-requests.spec new file mode 100644 index 0000000..7eff523 --- /dev/null +++ b/SPECS/python3.12-requests.spec @@ -0,0 +1,122 @@ +%global __python3 /usr/bin/python3.12 +%global python3_pkgversion 3.12 + +# When bootstrapping Python, we cannot test this yet +# RHEL does not include the test dependencies +%bcond_with tests +# The extras are disabled on RHEL to avoid pysocks and deprecated requests[security] +%bcond_with extras + +Name: python%{python3_pkgversion}-requests +Version: 2.28.2 +Release: 2%{?dist} +Summary: HTTP library, written in Python, for human beings + +License: ASL 2.0 +URL: https://pypi.io/project/requests +Source: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz + +# Explicitly use the system certificates in ca-certificates. +# https://bugzilla.redhat.com/show_bug.cgi?id=904614 +Patch0: system-certs.patch + +# Security fix for CVE-2023-32681 +Patch1: https://github.com/psf/requests/commit/74ea7cf7a6.patch#/CVE-2023-32681.patch + +BuildArch: noarch +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-rpm-macros +BuildRequires: python%{python3_pkgversion}-charset-normalizer +BuildRequires: python%{python3_pkgversion}-urllib3 +BuildRequires: python%{python3_pkgversion}-idna +BuildRequires: python%{python3_pkgversion}-setuptools + +%if %{with tests} +BuildRequires: python%{python3_pkgversion}-pytest +BuildRequires: python%{python3_pkgversion}-pytest-httpbin +BuildRequires: python%{python3_pkgversion}-pytest-mock +BuildRequires: python%{python3_pkgversion}-trustme +%endif + +Requires: python%{python3_pkgversion}-charset-normalizer +Requires: python%{python3_pkgversion}-urllib3 +Requires: python%{python3_pkgversion}-idna + + +%description +Most existing Python modules for sending HTTP requests are extremely verbose and +cumbersome. Python’s built-in urllib2 module provides most of the HTTP +capabilities you should need, but the API is thoroughly broken. This library is +designed to make HTTP requests easy for developers. + + +%if %{with extras} +%python_extras_subpkg -n python%{python3_pkgversion}-requests -i %{python3_sitelib}/*.egg-info security socks +%endif + +%prep +%autosetup -p1 -n requests-%{version} + +# env shebang in nonexecutable file +sed -i '/#!\/usr\/.*python/d' requests/certs.py + +# Some doctests use the internet and fail to pass in Koji. Since doctests don't have names, I don't +# know a way to skip them. We also don't want to patch them out, because patching them out will +# change the docs. Thus, we set pytest not to run doctests at all. +sed -i 's/ --doctest-modules//' pyproject.toml + + +%build +%py3_build + + +%install +%py3_install + + +%check +%py3_check_import requests +%if %{with tests} +# test_use_proxy_from_environment needs pysocks +%pytest -v %{!?with_extras:-k "not test_use_proxy_from_environment"} +%endif + + +%files -n python%{python3_pkgversion}-requests +%license LICENSE +%doc README.md HISTORY.md +%{python3_sitelib}/*.egg-info/ +%{python3_sitelib}/requests/ + + +%changelog +* Tue Jan 23 2024 Miro Hrončok - 2.28.2-2 +- Rebuilt for timestamp .pyc invalidation mode + +* Thu Oct 19 2023 Tomáš Hrnčiar - 2.28.2-1 +- Initial package +- Fedora contributions by: + Adam Williamson + Arun SAG + Charalampos Stratakis + David Malcolm + Dennis Gilmore + Igor Gnatenko + Iryna Shcherbina + Jeremy Cline + Karolina Surma + Kevin Fenzi + Lumir Balhar + Miro Hrončok + Petr Viktorin + Ralph Bean + Randy Barlow + Rex Dieter + Robert Kuska + Slavek Kabrda + Stephen Gallagher + Tom Callaway + Toshio Kuratomi + Yaakov Selkowitz + yatinkarel +