!96 [sync] PR-95: fix CVE-2023-45803

From: @openeuler-sync-bot 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw

backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch

@@ -0,0 +1,139 @@
+From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Mon, 2 Oct 2023 11:43:46 -0500
+Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+---
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 ++--
+ test/with_dummyserver/test_poolmanager.py | 24 ++++++++++++++++++-----
+ 3 files changed, 28 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index 2490d5e5b6..60ef6c4f3f 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -154,7 +154,7 @@
+
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+
+-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Authorization"])
++    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie", "Authorization"])
+
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index 21ba1e92e1..95a33e7461 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -293,12 +293,12 @@ def test_retry_method_not_in_whitelist(self):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert list(retry.remove_headers_on_redirect) == ["authorization"]
++        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+ 
+-        assert list(retry.remove_headers_on_redirect) == ["x-api-secret"]
++        assert retry.remove_headers_on_redirect == {"x-api-secret"}
+ 
+     @pytest.mark.parametrize("value", ["-1", "+1", "1.0", six.u("\xb2")])  # \xb2 = ^2
+     def test_parse_retry_after_invalid(self, value):
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index fa07a372a9..02a38115c5 100644
+--- a/test/with_dummyserver/test_poolmanager.py
++++ b/test/with_dummyserver/test_poolmanager.py
+@@ -141,7 +141,7 @@ def test_redirect_cross_host_remove_headers(self):
+                 "GET",
+                 "%s/redirect" % self.base_url,
+                 fields={"target": "%s/headers" % self.base_url_alt},
+-                headers={"Authorization": "foo"},
++                headers={"Authorization": "foo", "Cookie": "foo=bar"},
+             )
+ 
+             assert r.status == 200
+@@ -149,12 +149,13 @@ def test_redirect_cross_host_remove_headers(self):
+             data = json.loads(r.data.decode("utf-8"))
+ 
+             assert "Authorization" not in data
++            assert "Cookie" not in data
+ 
+             r = http.request(
+                 "GET",
+                 "%s/redirect" % self.base_url,
+                 fields={"target": "%s/headers" % self.base_url_alt},
+-                headers={"authorization": "foo"},
++                headers={"authorization": "foo", "cookie": "foo=bar"},
+             )
+ 
+             assert r.status == 200
+@@ -163,6 +164,8 @@ def test_redirect_cross_host_remove_headers(self):
+ 
+             assert "authorization" not in data
+             assert "Authorization" not in data
++            assert "cookie" not in data
++            assert "Cookie" not in data
+ 
+     def test_redirect_cross_host_no_remove_headers(self):
+         with PoolManager() as http:
+@@ -170,7 +173,7 @@ def test_redirect_cross_host_no_remove_headers(self):
+                 "GET",
+                 "%s/redirect" % self.base_url,
+                 fields={"target": "%s/headers" % self.base_url_alt},
+-                headers={"Authorization": "foo"},
++                headers={"Authorization": "foo", "Cookie": "foo=bar"},
+                 retries=Retry(remove_headers_on_redirect=[]),
+             )
+ 
+@@ -179,6 +182,7 @@ def test_redirect_cross_host_no_remove_headers(self):
+             data = json.loads(r.data.decode("utf-8"))
+ 
+             assert data["Authorization"] == "foo"
++            assert data["Cookie"] == "foo=bar"
+ 
+     def test_redirect_cross_host_set_removed_headers(self):
+         with PoolManager() as http:
+@@ -186,7 +190,11 @@ def test_redirect_cross_host_set_removed_headers(self):
+                 "GET",
+                 "%s/redirect" % self.base_url,
+                 fields={"target": "%s/headers" % self.base_url_alt},
+-                headers={"X-API-Secret": "foo", "Authorization": "bar"},
++                headers={
++                    "X-API-Secret": "foo",
++                    "Authorization": "bar",
++                    "Cookie": "foo=bar",
++                },
+                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
+             )
+ 
+@@ -196,12 +204,17 @@ def test_redirect_cross_host_set_removed_headers(self):
+ 
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
++            assert data["Cookie"] == "foo=bar"
+ 
+             r = http.request(
+                 "GET",
+                 "%s/redirect" % self.base_url,
+                 fields={"target": "%s/headers" % self.base_url_alt},
+-                headers={"x-api-secret": "foo", "authorization": "bar"},
++                headers={
++                    "x-api-secret": "foo",
++                    "authorization": "bar",
++                    "cookie": "foo=bar",
++                },
+                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
+             )
+ 
+@@ -212,6 +225,7 @@ def test_redirect_cross_host_set_removed_headers(self):
+             assert "x-api-secret" not in data
+             assert "X-API-Secret" not in data
+             assert data["Authorization"] == "bar"
++            assert data["Cookie"] == "foo=bar"
+ 
+     def test_redirect_without_preload_releases_connection(self):
+         with PoolManager(block=True, maxsize=2) as http:

backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch

@@ -0,0 +1,126 @@
+From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Tue, 17 Oct 2023 19:35:39 +0300
+Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
+
+Conflict:test/with_dummyserver/test_poolmanager.py and
+test_connectionpool.py has not been modified because it has been deleted
+in the pre-phase of the spec file
+Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
+
+---
+ dummyserver/handlers.py       |  7 +++++++
+ src/urllib3/_collections.py   | 18 ++++++++++++++++++
+ src/urllib3/connectionpool.py |  6 +++++-
+ src/urllib3/poolmanager.py    |  7 +++++--
+ 4 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py
+index 696dbab..6b501c7 100644
+--- a/dummyserver/handlers.py
++++ b/dummyserver/handlers.py
+@@ -182,6 +182,8 @@ class TestingApp(RequestHandler):
+         status = request.params.get("status", "303 See Other")
+         if len(status) == 3:
+             status = "%s Redirect" % status.decode("latin-1")
++        elif isinstance(status, bytes):
++            status = status.decode("latin-1")
+ 
+         headers = [("Location", target)]
+         return Response(status=status, headers=headers)
+@@ -260,6 +262,11 @@ class TestingApp(RequestHandler):
+     def headers(self, request):
+         return Response(json.dumps(dict(request.headers)))
+ 
++    def headers_and_params(self, request):
++        return Response(
++            json.dumps({"headers": dict(requests.headers), "params": request.params})
++        )
++
+     def successful_retry(self, request):
+         """ Handler which will return an error and then success
+ 
+diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py
+index 019d151..8b3f0f7 100644
+--- a/src/urllib3/_collections.py
++++ b/src/urllib3/_collections.py
+@@ -267,6 +267,24 @@ class HTTPHeaderDict(MutableMapping):
+         else:
+             return vals[1:]
+ 
++    def _prepare_for_method_change(self):
++        """
++        Remove content-specific header fields before changing the request
++        method to GET or HEAD according to RFC 9110, Section 15.4.
++        """
++        content_specific_headers = [
++            "Content-Encoding",
++            "Content-Language",
++            "Content-Location",
++            "Content-Type",
++            "Content-Length",
++            "Digest",
++            "Last-Modified",
++        ]
++        for header in content_specific_headers:
++            self.discard(header)
++        return self
++
+     # Backwards compatibility for httplib
+     getheaders = getlist
+     getallmatchingheaders = getlist
+diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
+index 174fe6c..40bf7f6 100644
+--- a/src/urllib3/connectionpool.py
++++ b/src/urllib3/connectionpool.py
+@@ -7,7 +7,7 @@ import warnings
+ from socket import error as SocketError, timeout as SocketTimeout
+ import socket
+ 
+-
++from ._collections import HTTPHeaderDict
+ from .exceptions import (
+     ClosedPoolError,
+     ProtocolError,
+@@ -771,7 +771,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+         redirect_location = redirect and response.get_redirect_location()
+         if redirect_location:
+             if response.status == 303:
++                # Change the method according to RFC 9110, Section 15.4.4.
+                 method = "GET"
++                # And lose the body not to transfer anything sensitive
++                body = None
++                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
+index a23ff11..e60197e 100644
+--- a/src/urllib3/poolmanager.py
++++ b/src/urllib3/poolmanager.py
+@@ -4,7 +4,7 @@ import functools
+ import logging
+ import warnings
+ 
+-from ._collections import RecentlyUsedContainer
++from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool
+ from .connectionpool import port_by_scheme
+ from .exceptions import (
+@@ -343,9 +343,12 @@ class PoolManager(RequestMethods):
+         # Support relative URLs for redirecting.
+         redirect_location = urljoin(url, redirect_location)
+ 
+-        # RFC 7231, Section 6.4.4
+         if response.status == 303:
++            # Change the method according to RFC 9110, Section 15.4.4.
+             method = "GET"
++            # And lose the body not to transfer anything sensitive.
++            kw["body"] = None
++            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+         retries = kw.get("retries")
+         if not isinstance(retries, Retry):
+-- 
+2.23.0
+

backport-add-server_hostname-to-SSL_KEYWORDS.patch

@@ -0,0 +1,25 @@
+From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001
+From: Hasan Ramezani <hasan.r67@gmail.com>
+Date: Thu, 20 Jan 2022 15:56:02 +0100
+Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS
+
+Conflict:no add testcode
+Reference:https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5
+---
+ src/urllib3/poolmanager.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
+index 3a31a28..ca4ec34 100644
+--- a/src/urllib3/poolmanager.py
++++ b/src/urllib3/poolmanager.py
+@@ -34,6 +34,7 @@ SSL_KEYWORDS = (
+     "ca_cert_dir",
+     "ssl_context",
+     "key_password",
++    "server_hostname",
+ )
+
+ # All known keyword arguments that could be provided to the pool manager, its
+--
+2.27.0

backport-fix-NRESERVED_PAT-and-_idna_encode.patch

@@ -0,0 +1,34 @@
+From b7c63ba938344c8911b4c3b32faf8d0029f879e6 Mon Sep 17 00:00:00 2001
+From: xzf1234 <xzff@hust.edu.cn>
+Date: Sun, 23 Apr 2023 20:25:38 +0800
+Subject: [PATCH] second
+
+---
+ urllib3-1.25.9/src/urllib3/util/url.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 793324e..2f7fdaa 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -50,7 +50,7 @@ _variations = [
+     "(?:(?:%(hex)s:){0,6}%(hex)s)?::",
+ ]
+ 
+-UNRESERVED_PAT = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._!\-~"
++UNRESERVED_PAT = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._\-~"
+ IPV6_PAT = "(?:" + "|".join([x % _subs for x in _variations]) + ")"
+ ZONE_ID_PAT = "(?:%25|%)(?:[" + UNRESERVED_PAT + "]|%[a-fA-F0-9]{2})+"
+ IPV6_ADDRZ_PAT = r"\[" + IPV6_PAT + r"(?:" + ZONE_ID_PAT + r")?\]"
+@@ -300,7 +300,7 @@ def _normalize_host(host, scheme):
+ 
+ 
+ def _idna_encode(name):
+-    if name and any([ord(x) > 128 for x in name]):
++    if name and any(ord(x) >= 128 for x in name):
+         try:
+             import idna
+         except ImportError:
+-- 
+2.33.1.windows.1
+

backport-fixed-issue-with-port-0-returning-None.patch

@@ -0,0 +1,47 @@
+From 7b6049c4d7551c0a3d04e213b853ef33b8ed1cd9 Mon Sep 17 00:00:00 2001
+From: Bastian Venthur <venthur@debian.org>
+Date: Fri, 9 Dec 2022 21:47:14 +0100
+Subject: [PATCH] fixed issue with port "0" returning None
+
+Conflict:adapt:
+1.no change changelog/2850.bugfix.rst
+2.The content of "@@" is adapted
+Reference:https://github.com/urllib3/urllib3/pull/2849
+---
+ src/urllib3/util/url.py | 2 +-
+ test/test_util.py       | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 6793de3..701ad75 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -63,7 +63,7 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
+ BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
+ ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
+
+-_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*([0-9]{0,5}))?$") % (
++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*?(|0|[1-9][0-9]{0,4}))?$") % (
+     REG_NAME_PAT,
+     IPV4_PAT,
+     IPV6_ADDRZ_PAT,
+diff --git a/test/test_util.py b/test/test_util.py
+index 165a331..c8729e8 100644
+--- a/test/test_util.py
++++ b/test/test_util.py
+@@ -343,6 +343,13 @@ class TestUtil(object):
+         url = parse_url("https://example.com:0000000000080")
+         assert url.port == 80
+
++    def test_parse_url_only_zeros(self) -> None:
++        url = parse_url("https://example.com:0")
++        assert url.port == 0
++
++        url = parse_url("https://example.com:000000000000")
++        assert url.port == 0
++
+     def test_Url_str(self):
+         U = Url("http", host="google.com")
+         assert str(U) == U.url
+--
+2.27.0

backport-strip-leading-zeros-form-ports.patch

@@ -0,0 +1,46 @@
+From 955da4d03eaa6785aef40a34f440a67d736a4793 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Tue, 22 Nov 2022 17:59:57 +0000
+Subject: [PATCH] [1.26] Strip leading zeros from ports
+ 
+Co-authored-by: Bastian Venthur <bastian.venthur@flixbus.com>
+Co-authored-by: Hasan Ramezani <hasan.r67@gmail.com>
+ 
+Conflict:adapt:The line number of test_parse_url_remove_leading_zeros is adapted.
+Reference:https://github.com/urllib3/urllib3/commit/955da4d03eaa6785aef40a34f440a67d736a4793
+---
+ src/urllib3/util/url.py | 2 +-
+ test/test_util.py       | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ 
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 318a6d6..6793de3 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -63,7 +63,7 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
+ BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
+ ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
+ 
+-_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*([0-9]{0,5}))?$") % (
+     REG_NAME_PAT,
+     IPV4_PAT,
+     IPV6_ADDRZ_PAT,
+diff --git a/test/test_util.py b/test/test_util.py
+index ef6aa11..165a331 100644
+--- a/test/test_util.py
++++ b/test/test_util.py
+@@ -339,6 +339,10 @@ class TestUtil(object):
+         with pytest.raises(LocationParseError):
+             parse_url("https://www.google.com:-80/")
+ 
++    def test_parse_url_remove_leading_zeros(self):
++        url = parse_url("https://example.com:0000000000080")
++        assert url.port == 80
++
+     def test_Url_str(self):
+         U = Url("http", host="google.com")
+         assert str(U) == U.url
+--
+2.27.0
+ 

python-urllib3.spec

@@ -3,7 +3,7 @@
 
 Name:           python-%{srcname}
 Version:        1.25.9
-Release:        5
+Release:        10
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@@ -15,6 +15,12 @@ Patch0000:      set-RECENT_DATE-not-be-older-than-2-years.patch
 Patch6000:      backport-CVE-2021-33503.patch
 Patch6001:      backport-Change-TARPIT_HOST-to-detect-isolated-network.patch
 Patch6002:      backport-Do-not-insert-None-into-ConnectionPool-if-it-was-empty.patch
+Patch6003:      backport-add-server_hostname-to-SSL_KEYWORDS.patch
+Patch6004:      backport-strip-leading-zeros-form-ports.patch
+Patch6005:      backport-fixed-issue-with-port-0-returning-None.patch
+Patch6006:      backport-fix-NRESERVED_PAT-and-_idna_encode.patch
+Patch6007:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
+Patch6008:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
 
 %global _description \
 HTTP library with thread-safe connection pooling, file post support,\
@@ -116,6 +122,36 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 
 %changelog
+* Mon Nov 06 2023 chengyechun <chengyechun1@huawei.com> - 1.25.9-10
+- Type:CVE
+- CVE:CVE-2023-45803
+- SUG:NA
+- DESC:fix CVE-2023-45803
+
+* Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 1.25.9-9
+- Type:CVE
+- CVE:CVE-2023-43804
+- SUG:NA
+- DESC:fix CVE-2023-43804
+
+* Sun Apr 23 2023 xzf1244 <xzff@hust.edu.cn> - 1.25.9-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix field NRESERVED_PAT and function _idna_encode that will cause bugs
+
+* Thu Jan 19 2023 chenhaixing <chenhaixing@huawei.com> - 1.25.9-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:modify HOST_PORT_PAT in backport-fixed-issue-with-port-0-returning-None.patch
+
+* Mon Jan 16 2023 chenhaixing <chenhaixing@huawei.com> - 1.25.9-6
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix parse port error and add server_hostname to SSL_KEYWORDS
+
 * Thu Jan 5 2023 chenhaixing <chenhaixing@huawei.com> - 1.25.9-5
 - Type:bugfix
 - CVE:NA