packages/python-urllib3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport CVE-2023-45803

Browse Source 
(cherry picked from commit 3b6a7d6fdaf6014db14918e60e004e69317cfb32)
This commit is contained in:
chengyechun 2023-11-03 10:48:17 +08:00 committed by openeuler-sync-bot
parent f932ec142a
commit 8773098c29
3 changed files with 142 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CVE-2023-43804.patch → backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
View File

@ -5,6 +5,10 @@ Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com> Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Conflict:NA
Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
--- ---
src/urllib3/util/retry.py | 2 +- src/urllib3/util/retry.py | 2 +-
test/test_retry.py | 4 ++-- test/test_retry.py | 4 ++--

125
backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch Normal file
View File

@ -0,0 +1,125 @@
From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Tue, 17 Oct 2023 19:35:39 +0300
Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
Conflict:test/with_dummyserver/test_poolmanager.py and
test_connectionpool.py has not been modified because it has been deleted
in the pre-phase of the spec file
Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
---
dummyserver/handlers.py | 7 +++++++
src/urllib3/_collections.py | 18 ++++++++++++++++++
src/urllib3/connectionpool.py | 5 +++++
src/urllib3/poolmanager.py | 7 +++++--
4 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py
index c90c2fc..acd181d 100644
--- a/dummyserver/handlers.py
+++ b/dummyserver/handlers.py
@@ -186,6 +186,8 @@ class TestingApp(RequestHandler):
status = request.params.get("status", "303 See Other")
if len(status) == 3:
status = "%s Redirect" % status.decode("latin-1")
+ elif isinstance(status, bytes):
+ status = status.decode("latin-1")
headers = [("Location", target)]
return Response(status=status, headers=headers)
@@ -264,6 +266,11 @@ class TestingApp(RequestHandler):
def headers(self, request):
return Response(json.dumps(dict(request.headers)))
+ def headers_and_params(self, request):
+ return Response(
+ json.dumps({"headers": dict(request.headers), "params": request.params})
+ )
+
def successful_retry(self, request):
"""Handler which will return an error and then success
diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py
index da9857e..bceb845 100644
--- a/src/urllib3/_collections.py
+++ b/src/urllib3/_collections.py
@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
else:
return vals[1:]
+ def _prepare_for_method_change(self):
+ """
+ Remove content-specific header fields before changing the request
+ method to GET or HEAD according to RFC 9110, Section 15.4.
+ """
+ content_specific_headers = [
+ "Content-Encoding",
+ "Content-Language",
+ "Content-Location",
+ "Content-Type",
+ "Content-Length",
+ "Digest",
+ "Last-Modified",
+ ]
+ for header in content_specific_headers:
+ self.discard(header)
+ return self
+
# Backwards compatibility for httplib
getheaders = getlist
getallmatchingheaders = getlist
diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
index 659a9ca..ebce9ce 100644
--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
@@ -9,6 +9,7 @@ import warnings
from socket import error as SocketError
from socket import timeout as SocketTimeout
+from ._collections import HTTPHeaderDict
from .connection import (
BaseSSLError,
BrokenPipeError,
@@ -832,7 +833,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
redirect_location = redirect and response.get_redirect_location()
if redirect_location:
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ body = None
+ headers = HTTPHeaderDict(headers)._prepare_for_method_change()
try:
retries = retries.increment(method, url, response=response, _pool=self)
diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
index ca4ec34..5f4afe1 100644
--- a/src/urllib3/poolmanager.py
+++ b/src/urllib3/poolmanager.py
@@ -4,7 +4,7 @@ import collections
import functools
import logging
-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
from .exceptions import (
LocationValueError,
@@ -382,9 +382,12 @@ class PoolManager(RequestMethods):
# Support relative URLs for redirecting.
redirect_location = urljoin(url, redirect_location)
- # RFC 7231, Section 6.4.4
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ kw["body"] = None
+ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
retries = kw.get("retries")
if not isinstance(retries, Retry):
--
2.23.0

16
python-urllib3.spec
View File

@ -3,7 +3,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 1.26.12 Version: 1.26.12
Release: 5 Release: 6
Summary: Sanity-friendly HTTP client for Python Summary: Sanity-friendly HTTP client for Python
License: MIT License: MIT
URL: https://urllib3.readthedocs.io URL: https://urllib3.readthedocs.io
@ -17,7 +17,8 @@ Patch6002: backport-fixed-issue-with-port-0-returning-None.patch
Patch6003: backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch Patch6003: backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch
Patch6004: backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch Patch6004: backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch
Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch
Patch6006: CVE-2023-43804.patch Patch6006: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
Patch6007: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
BuildArch: noarch BuildArch: noarch
@ -83,8 +84,17 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
%{python3_sitelib}/urllib3-*.egg-info %{python3_sitelib}/urllib3-*.egg-info
%changelog %changelog
* Fri Nov 03 2023 chengyechun <chengyechun1@huawei.com> - 1.26.12-6
- Type:CVE
- CVE:CVE-2023-45803
- SUG:NA
- DESC:fix CVE-2023-45803
* Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 1.26.12-5 * Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 1.26.12-5
- fix CVE-2023-43804 - Type:CVE
- CVE:CVE-2023-43804
- SUG:NA
- DESC:fix CVE-2023-43804
* Tue Mar 21 2023 chenhaixing <chenhaixing@huawei.com> - 1.26.12-4 * Tue Mar 21 2023 chenhaixing <chenhaixing@huawei.com> - 1.26.12-4
- Type:bugfix - Type:bugfix