!57 fix CVE-2024-1682

Merge pull request !57 from 张攀/openEuler-20.03-LTS-SP4

Don-t-inject-pyopenssl-into-urllib3.patch

@@ -1,38 +0,0 @@
-From 86b1fa39fdebdb7bc57131c1a198d4d18e104f95 Mon Sep 17 00:00:00 2001
-From: Jeremy Cline <jeremy@jcline.org>
-Date: Mon, 16 Apr 2018 10:35:35 -0400
-Subject: [PATCH] Don't inject pyopenssl into urllib3
-
-Fedora ships sufficiently new versions of Python 2 and 3 to make this
-unnecessary (rhbz 1567862)
-
-Signed-off-by: Jeremy Cline <jeremy@jcline.org>
----
- requests/__init__.py | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/requests/__init__.py b/requests/__init__.py
-index a5b3c9c3..e312d314 100644
---- a/requests/__init__.py
-+++ b/requests/__init__.py
-@@ -90,17 +90,6 @@ except (AssertionError, ValueError):
-                   "version!".format(urllib3.__version__, chardet.__version__),
-                   RequestsDependencyWarning)
- 
--# Attempt to enable urllib3's SNI support, if possible
--try:
--    from urllib3.contrib import pyopenssl
--    pyopenssl.inject_into_urllib3()
--
--    # Check cryptography version
--    from cryptography import __version__ as cryptography_version
--    _check_cryptography(cryptography_version)
--except ImportError:
--    pass
--
- # urllib3's DependencyWarnings should be silenced.
- from urllib3.exceptions import DependencyWarning
- warnings.simplefilter('ignore', DependencyWarning)
--- 
-2.17.0
-

README.en.md

@@ -1,36 +0,0 @@
-# python-requests
-
-#### Description
-{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
-
-#### Software Architecture
-Software architecture description
-
-#### Installation
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Instructions
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Contribution
-
-1.  Fork the repository
-2.  Create Feat_xxx branch
-3.  Commit your code
-4.  Create Pull Request
-
-
-#### Gitee Feature
-
-1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
-2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
-3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
-4.  The most valuable open source project [GVP](https://gitee.com/gvp)
-5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
-6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

README.md

@@ -1,39 +0,0 @@
-# python-requests
-
-#### 介绍
-{**以下是码云平台说明，您可以替换此简介**
-码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
-无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
-
-#### 软件架构
-软件架构说明
-
-
-#### 安装教程
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 使用说明
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 参与贡献
-
-1.  Fork 本仓库
-2.  新建 Feat_xxx 分支
-3.  提交代码
-4.  新建 Pull Request
-
-
-#### 码云特技
-
-1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
-2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
-3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
-4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
-5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
-6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

Remove-tests-that-use-the-tarpit.patch

@@ -1,27 +1,23 @@
-From 524cd22fb77e69db9bb3f017bbb1d9782c37b0cd Mon Sep 17 00:00:00 2001
+From bb1c91432c5e9a1f402692db5c80c65136656afb Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jeremy@jcline.org>
 Date: Tue, 13 Jun 2017 09:08:09 -0400
 Subject: [PATCH] Remove tests that use the tarpit
-
+ 
 The latest version of Mock has started using systemd containers. The
 systemd-nspawn command is being run with --private-network, which
 immediately kills connections to something other than localhost. These
 tests depend on the connection not being killed immediately and that
 they are never responded to.
-
+ 
 Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 ---
- tests/test_requests.py | 25 -------------------------
- 1 file changed, 25 deletions(-)
-
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index b8350cb..46b7e9e 100755
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -2049,31 +2049,6 @@ class TestTimeout:
+diff -Naur requests-2.24.0/tests/test_requests.py requests-2/tests/test_requests.py
+--- requests-2.24.0/tests/test_requests.py      2020-08-04 18:05:14.250000000 +0800
++++ requests-2/tests/test_requests.py   2020-08-04 18:13:19.891000000 +0800
+@@ -2188,30 +2188,6 @@
          except ReadTimeout:
              pass
- 
+
 -    @pytest.mark.parametrize(
 -        'timeout', (
 -            (0.1, None),
@@ -46,10 +42,7 @@ index b8350cb..46b7e9e 100755
 -            pytest.fail('The connect() request should time out.')
 -        except ConnectTimeout:
 -            pass
--
-     def test_encoded_methods(self, httpbin):
-         """See: https://github.com/requests/requests/issues/2316"""
-         r = requests.request(b'GET', httpbin('get'))
--- 
-2.9.4
+
+     def test_encoded_methods(self, httpbin):
+         """See: https://github.com/psf/requests/issues/2316"""
 

backport-CVE-2023-32681.patch

@@ -0,0 +1,62 @@
+From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+Reference:https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
+Conflict:Adaptation Context
+
+---
+ requests/sessions.py   |  4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index e8e2d60..6e73925 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 33880b8..4bf5321 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -551,6 +551,26 @@ class TestRequests:
+         with pytest.raises(InvalidProxyURL):
+             requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})
+ 
++
++    @pytest.mark.parametrize(
++        "url,has_proxy_auth",
++        (
++            ('http://example.com', True),
++            ('https://example.com', False),
++        ),
++    )
++    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++        session = requests.Session()
++        proxies = {
++            'http': 'http://test:pass@localhost:8080',
++            'https': 'http://test:pass@localhost:8090',
++        }
++        req = requests.Request('GET', url)
++        prep = req.prepare()
++        session.rebuild_proxies(prep, proxies)
++
++        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+     def test_basicauth_with_netrc(self, httpbin):
+         auth = ('user', 'pass')
+         wrong_auth = ('wronguser', 'wrongpass')
+-- 
+2.33.0
+

backport-CVE-2024-1682.patch

@@ -0,0 +1,40 @@
+From 6106a63eb6c0fa490efa73d44388ac25b1b08af4 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Tue, 20 Feb 2024 11:58:35 -0800
+Subject: [PATCH] Cleanup defunct links from community docs page
+
+Reference:https://github.com/psf/requests/commit/6106a63eb6c0fa490efa73d44388ac25b1b08af4
+Conflict:NA
+
+---
+ docs/community/out-there.rst | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/docs/community/out-there.rst b/docs/community/out-there.rst
+index c33ab3c95b..c75c71f6a2 100644
+--- a/docs/community/out-there.rst
++++ b/docs/community/out-there.rst
+@@ -1,22 +1,10 @@
+ 
+ .. image:: https://farm5.staticflickr.com/4239/34450900674_15863ddea0_k_d.jpg
+ 
+-Python for iOS
+---------------
+-
+-Requests is built into the wonderful `Python for iOS <https://itunes.apple.com/us/app/python-2.7-for-ios/id485729872?mt=Python8>`_ runtime!
+-
+-To give it a try, simply::
+-
+-    import requests
+-
+-
+ Articles & Talks
+ ================
+-- `Python for the Web <https://www.gun.io/blog/python-for-the-web>`_ teaches how to use Python to interact with the web, using Requests.
+ - `Daniel Greenfeld's Review of Requests <https://pydanny.blogspot.com/2011/05/python-http-requests-for-humans.html>`_
+-- `My 'Python for Humans' talk <http://python-for-humans.heroku.com>`_ ( `audio <https://codeconf.s3.amazonaws.com/2011/pycodeconf/talks/PyCodeConf2011%20-%20Kenneth%20Reitz.m4a>`_ )
+-- `Issac Kelly's 'Consuming Web APIs' talk <https://issackelly.github.com/Consuming-Web-APIs-with-Python-Talk/slides/slides.html>`_
++- `Issac Kelly's 'Consuming Web APIs' talk <https://issackelly.github.io/Consuming-Web-APIs-with-Python-Talk/slides/slides.html>`_
+ - `Blog post about Requests via Yum <https://arunsag.wordpress.com/2011/08/17/new-package-python-requests-http-for-humans/>`_
+ - `Russian blog post introducing Requests <https://habr.com/post/126262/>`_
+ - `Sending JSON in Requests <http://www.coglib.com/~icordasc/blog/2014/11/sending-json-in-requests.html>`_

patch-requests-certs.py-to-use-the-system-CA-bundle.patch

@@ -1,26 +1,36 @@
-diff -uNrp a/requests/certs.py b/requests/certs.py
---- a/requests/certs.py	2019-12-20 15:17:38.304000000 +0800
-+++ b/requests/certs.py	2019-12-20 15:25:18.952000000 +0800
-@@ -11,7 +11,10 @@ If you are packaging Requests, e.g., for
+From aad5590d5ea47dc54cfd97da54f2640014f7d39d Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Thu, 13 Dec 2018 10:55:29 -0500
+Subject: [PATCH] Patch requests/certs.py to use the system CA bundle
+ 
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+diff -Naur requests-2.24.0/requests/certs.py requests-1/requests/certs.py
+--- requests-2.24.0/requests/certs.py   2020-08-04 18:05:14.250000000 +0800
++++ requests-1/requests/certs.py        2020-08-04 18:07:20.652000000 +0800
+@@ -10,8 +10,13 @@
+ If you are packaging Requests, e.g., for a Linux distribution or a managed
  environment, you can change the definition of where() to return a separately
  packaged CA bundle.
++
++This Fedora-patched package returns "/etc/pki/tls/certs/ca-bundle.crt" provided
++by the ca-certificates RPM package.
  """
 -from certifi import where
 +def where():
 +    """Return the absolute path to the system CA bundle."""
 +    return '/etc/pki/tls/certs/ca-bundle.crt'
-+
- 
+
  if __name__ == '__main__':
      print(where())
-diff -uNrp a/setup.py b/setup.py
---- a/setup.py	2019-12-20 15:17:38.304000000 +0800
-+++ b/setup.py	2019-12-20 15:14:39.212000000 +0800
-@@ -45,7 +45,6 @@ requires = [
-     'chardet>=3.0.2,<3.1.0',
-     'idna>=2.5,<2.9',
-     'urllib3>=1.21.1,<1.25',
+diff -Naur requests-2.24.0/setup.py requests-1/setup.py
+--- requests-2.24.0/setup.py    2020-08-04 18:05:14.250000000 +0800
++++ requests-1/setup.py 2020-08-04 18:07:46.508000000 +0800
+@@ -45,7 +45,6 @@
+     'chardet>=3.0.2,<4',
+     'idna>=2.5,<3',
+     'urllib3>=1.21.1,<1.26,!=1.25.0,!=1.25.1',
 -    'certifi>=2017.4.17'
- 
+
  ]
  test_requirements = [

python-requests.spec

@@ -1,19 +1,19 @@
 %bcond_with tests
 
 Name:           python-requests
-Version:        2.21.0
-Release:        4
+Version:        2.24.0
+Release:        3
 Summary:        Python HTTP Library
 License:        ASL 2.0
 URL:            http://python-requests.org/
-Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz
+Source0:        https://github.com/psf/requests/archive/v%{version}.tar.gz
 
-#These patches are from Redhat
-Patch0:         patch-requests-certs.py-to-use-the-system-CA-bundle.patch
-Patch2:         Remove-tests-that-use-the-tarpit.patch
-Patch3:         requests-2.12.4-tests_nonet.patch
-Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
-Patch5:         requests-2.20.0-no-py2-httpbin.patch
+Patch1:         requests-2.12.4-tests_nonet.patch
+Patch2:         requests-2.20.0-no-py2-httpbin.patch
+Patch3:         patch-requests-certs.py-to-use-the-system-CA-bundle.patch
+Patch4:         Remove-tests-that-use-the-tarpit.patch 
+Patch6000:      backport-CVE-2023-32681.patch
+Patch6001:      backport-CVE-2024-1682.patch
 
 BuildArch:      noarch
 
@@ -114,6 +114,21 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
 %doc HISTORY.md README.md
 
 %changelog
+* Mon Nov 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.0-3
+- fix CVE-2024-1682
+
+* Wed May 31 2023 zhangpan <zhangpan103@h-partners.com> - 2.24.0-2
+- fix CVE-2023-32681
+
+* Tue Aug 18 2020 jinzhimin <jinzhimin2@huawei.com> - 2.24.0-1
+- update package to 2.24.0
+
+* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.21.0-5
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC: delete describe info
+
 * Fri Dec 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.21.0-4
 - Type:bugfix
 - Id:NA