backport CVE-2023-45803

(cherry picked from commit 3b6a7d6fdaf6014db14918e60e004e69317cfb32)
2023-11-03 10:48:17 +08:00 · 2023-11-03 10:48:17 +08:00 · 8773098c29
commit 8773098c29
parent f932ec142a
3 changed files with 142 additions and 3 deletions
--- a/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
+++ b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
@ -5,6 +5,10 @@ Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)

 Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
 Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+
+Conflict:NA
+Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
+
 ---
 src/urllib3/util/retry.py                 |  2 +-
 test/test_retry.py                        |  4 ++--
--- a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
@ -0,0 +1,125 @@
+From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Tue, 17 Oct 2023 19:35:39 +0300
+Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
+
+Conflict:test/with_dummyserver/test_poolmanager.py and
+test_connectionpool.py has not been modified because it has been deleted
+in the pre-phase of the spec file
+Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
+
+---
+ dummyserver/handlers.py       |  7 +++++++
+ src/urllib3/_collections.py   | 18 ++++++++++++++++++
+ src/urllib3/connectionpool.py |  5 +++++
+ src/urllib3/poolmanager.py    |  7 +++++--
+ 4 files changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py
+index c90c2fc..acd181d 100644
+--- a/dummyserver/handlers.py
+++ b/dummyserver/handlers.py
+@@ -186,6 +186,8 @@ class TestingApp(RequestHandler):
+         status = request.params.get("status", "303 See Other")
+         if len(status) == 3:
+             status = "%s Redirect" % status.decode("latin-1")
+        elif isinstance(status, bytes):
+            status = status.decode("latin-1")
+ 
+         headers = [("Location", target)]
+         return Response(status=status, headers=headers)
+@@ -264,6 +266,11 @@ class TestingApp(RequestHandler):
+     def headers(self, request):
+         return Response(json.dumps(dict(request.headers)))
+ 
+    def headers_and_params(self, request):
+        return Response(
+            json.dumps({"headers": dict(request.headers), "params": request.params})
+        )
+
+     def successful_retry(self, request):
+         """Handler which will return an error and then success
+ 
+diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py
+index da9857e..bceb845 100644
+--- a/src/urllib3/_collections.py
+++ b/src/urllib3/_collections.py
+@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
+         else:
+             return vals[1:]
+ 
+    def _prepare_for_method_change(self):
+        """
+        Remove content-specific header fields before changing the request
+        method to GET or HEAD according to RFC 9110, Section 15.4.
+        """
+        content_specific_headers = [
+            "Content-Encoding",
+            "Content-Language",
+            "Content-Location",
+            "Content-Type",
+            "Content-Length",
+            "Digest",
+            "Last-Modified",
+        ]
+        for header in content_specific_headers:
+            self.discard(header)
+        return self
+
+     # Backwards compatibility for httplib
+     getheaders = getlist
+     getallmatchingheaders = getlist
+diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
+index 659a9ca..ebce9ce 100644
+--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
+@@ -9,6 +9,7 @@ import warnings
+ from socket import error as SocketError
+ from socket import timeout as SocketTimeout
+ 
+from ._collections import HTTPHeaderDict
+ from .connection import (
+     BaseSSLError,
+     BrokenPipeError,
+@@ -832,7 +833,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+         redirect_location = redirect and response.get_redirect_location()
+         if redirect_location:
+             if response.status == 303:
+                # Change the method according to RFC 9110, Section 15.4.4.
+                 method = "GET"
+                # And lose the body not to transfer anything sensitive.
+                body = None
+                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
+index ca4ec34..5f4afe1 100644
+--- a/src/urllib3/poolmanager.py
+++ b/src/urllib3/poolmanager.py
+@@ -4,7 +4,7 @@ import collections
+ import functools
+ import logging
+ 
+-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
+ from .exceptions import (
+     LocationValueError,
+@@ -382,9 +382,12 @@ class PoolManager(RequestMethods):
+         # Support relative URLs for redirecting.
+         redirect_location = urljoin(url, redirect_location)
+ 
+-        # RFC 7231, Section 6.4.4
+         if response.status == 303:
+            # Change the method according to RFC 9110, Section 15.4.4.
+             method = "GET"
+            # And lose the body not to transfer anything sensitive.
+            kw["body"] = None
+            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+         retries = kw.get("retries")
+         if not isinstance(retries, Retry):
+-- 
+2.23.0
+
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@ -3,7 +3,7 @@

 Name:           python-%{srcname}
 Version:        1.26.12
-Release:        5
+Release:        6
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@ -17,7 +17,8 @@ Patch6002:      backport-fixed-issue-with-port-0-returning-None.patch
 Patch6003:      backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch
 Patch6004:      backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch
 Patch6005:      backport-Fix-_idna_encode-handling-of-x80.patch
-Patch6006:	CVE-2023-43804.patch
+Patch6006:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
+Patch6007:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch

 BuildArch:      noarch

@ -83,8 +84,17 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info

 %changelog
+* Fri Nov 03 2023 chengyechun <chengyechun1@huawei.com> - 1.26.12-6
+- Type:CVE
+- CVE:CVE-2023-45803
+- SUG:NA
+- DESC:fix CVE-2023-45803
+
 * Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 1.26.12-5
- fix CVE-2023-43804
+- Type:CVE
+- CVE:CVE-2023-43804
+- SUG:NA
+- DESC:fix CVE-2023-43804

 * Tue Mar 21 2023 chenhaixing <chenhaixing@huawei.com> - 1.26.12-4
 - Type:bugfix