Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3_1 for
openSUSE:Factory checked in at 2023-10-19 22:46:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3_1 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3_1.new.1945 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3_1"
Thu Oct 19 22:46:49 2023 rev:6 rq:1118605 version:1.26.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3_1/python-urllib3_1.changes
2023-10-06 21:13:19.257422335 +0200
+++
/work/SRC/openSUSE:Factory/.python-urllib3_1.new.1945/python-urllib3_1.changes
2023-10-19 22:49:08.822409169 +0200
@@ -1,0 +2,7 @@
+Wed Oct 18 14:30:31 UTC 2023 - Daniel Garcia Moreno <[email protected]>
+
+- update to 1.26.18 (bsc#1216377, CVE-2023-45803):
+ * Made body stripped from HTTP requests changing the request method
+ to GET after HTTP 303 "See Other" redirect responses.
+
+-------------------------------------------------------------------
Old:
----
urllib3-1.26.17.tar.gz
New:
----
urllib3-1.26.18.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3_1.spec ++++++
--- /var/tmp/diff_new_pack.5z5DxR/_old 2023-10-19 22:49:09.330427594 +0200
+++ /var/tmp/diff_new_pack.5z5DxR/_new 2023-10-19 22:49:09.334427739 +0200
@@ -26,7 +26,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-urllib3_1%{psuffix}
-Version: 1.26.17
+Version: 1.26.18
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
++++++ urllib3-1.26.17.tar.gz -> urllib3-1.26.18.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/CHANGES.rst
new/urllib3-1.26.18/CHANGES.rst
--- old/urllib3-1.26.17/CHANGES.rst 2023-10-02 19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/CHANGES.rst 2023-10-17 19:42:56.000000000 +0200
@@ -1,6 +1,12 @@
Changes
=======
+1.26.18 (2023-10-17)
+--------------------
+
+* Made body stripped from HTTP requests changing the request method to GET
after HTTP 303 "See Other" redirect responses.
+
+
1.26.17 (2023-10-02)
--------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/PKG-INFO new/urllib3-1.26.18/PKG-INFO
--- old/urllib3-1.26.17/PKG-INFO 2023-10-02 19:18:33.111136000 +0200
+++ new/urllib3-1.26.18/PKG-INFO 2023-10-17 19:43:08.244008300 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.17
+Version: 1.26.18
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -155,6 +155,12 @@
Changes
=======
+1.26.18 (2023-10-17)
+--------------------
+
+* Made body stripped from HTTP requests changing the request method to GET
after HTTP 303 "See Other" redirect responses.
+
+
1.26.17 (2023-10-02)
--------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/dummyserver/handlers.py
new/urllib3-1.26.18/dummyserver/handlers.py
--- old/urllib3-1.26.17/dummyserver/handlers.py 2023-10-02 19:18:24.000000000
+0200
+++ new/urllib3-1.26.18/dummyserver/handlers.py 2023-10-17 19:42:56.000000000
+0200
@@ -186,6 +186,8 @@
status = request.params.get("status", "303 See Other")
if len(status) == 3:
status = "%s Redirect" % status.decode("latin-1")
+ elif isinstance(status, bytes):
+ status = status.decode("latin-1")
headers = [("Location", target)]
return Response(status=status, headers=headers)
@@ -264,6 +266,11 @@
def headers(self, request):
return Response(json.dumps(dict(request.headers)))
+ def headers_and_params(self, request):
+ return Response(
+ json.dumps({"headers": dict(request.headers), "params":
request.params})
+ )
+
def successful_retry(self, request):
"""Handler which will return an error and then success
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/src/urllib3/_collections.py
new/urllib3-1.26.18/src/urllib3/_collections.py
--- old/urllib3-1.26.17/src/urllib3/_collections.py 2023-10-02
19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/src/urllib3/_collections.py 2023-10-17
19:42:56.000000000 +0200
@@ -268,6 +268,24 @@
else:
return vals[1:]
+ def _prepare_for_method_change(self):
+ """
+ Remove content-specific header fields before changing the request
+ method to GET or HEAD according to RFC 9110, Section 15.4.
+ """
+ content_specific_headers = [
+ "Content-Encoding",
+ "Content-Language",
+ "Content-Location",
+ "Content-Type",
+ "Content-Length",
+ "Digest",
+ "Last-Modified",
+ ]
+ for header in content_specific_headers:
+ self.discard(header)
+ return self
+
# Backwards compatibility for httplib
getheaders = getlist
getallmatchingheaders = getlist
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/src/urllib3/_version.py
new/urllib3-1.26.18/src/urllib3/_version.py
--- old/urllib3-1.26.17/src/urllib3/_version.py 2023-10-02 19:18:24.000000000
+0200
+++ new/urllib3-1.26.18/src/urllib3/_version.py 2023-10-17 19:42:56.000000000
+0200
@@ -1,2 +1,2 @@
# This file is protected via CODEOWNERS
-__version__ = "1.26.17"
+__version__ = "1.26.18"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/src/urllib3/connectionpool.py
new/urllib3-1.26.18/src/urllib3/connectionpool.py
--- old/urllib3-1.26.17/src/urllib3/connectionpool.py 2023-10-02
19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/src/urllib3/connectionpool.py 2023-10-17
19:42:56.000000000 +0200
@@ -9,6 +9,7 @@
from socket import error as SocketError
from socket import timeout as SocketTimeout
+from ._collections import HTTPHeaderDict
from .connection import (
BaseSSLError,
BrokenPipeError,
@@ -843,7 +844,11 @@
redirect_location = redirect and response.get_redirect_location()
if redirect_location:
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ body = None
+ headers = HTTPHeaderDict(headers)._prepare_for_method_change()
try:
retries = retries.increment(method, url, response=response,
_pool=self)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-1.26.17/src/urllib3/contrib/securetransport.py
new/urllib3-1.26.18/src/urllib3/contrib/securetransport.py
--- old/urllib3-1.26.17/src/urllib3/contrib/securetransport.py 2023-10-02
19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/src/urllib3/contrib/securetransport.py 2023-10-17
19:42:56.000000000 +0200
@@ -64,9 +64,8 @@
import threading
import weakref
-import six
-
from .. import util
+from ..packages import six
from ..util.ssl_ import PROTOCOL_TLS_CLIENT
from ._securetransport.bindings import CoreFoundation, Security, SecurityConst
from ._securetransport.low_level import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/src/urllib3/poolmanager.py
new/urllib3-1.26.18/src/urllib3/poolmanager.py
--- old/urllib3-1.26.17/src/urllib3/poolmanager.py 2023-10-02
19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/src/urllib3/poolmanager.py 2023-10-17
19:42:56.000000000 +0200
@@ -4,7 +4,7 @@
import functools
import logging
-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool,
port_by_scheme
from .exceptions import (
LocationValueError,
@@ -382,9 +382,12 @@
# Support relative URLs for redirecting.
redirect_location = urljoin(url, redirect_location)
- # RFC 7231, Section 6.4.4
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ kw["body"] = None
+ kw["headers"] =
HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
retries = kw.get("retries")
if not isinstance(retries, Retry):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.17/src/urllib3.egg-info/PKG-INFO
new/urllib3-1.26.18/src/urllib3.egg-info/PKG-INFO
--- old/urllib3-1.26.17/src/urllib3.egg-info/PKG-INFO 2023-10-02
19:18:33.000000000 +0200
+++ new/urllib3-1.26.18/src/urllib3.egg-info/PKG-INFO 2023-10-17
19:43:08.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.17
+Version: 1.26.18
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -155,6 +155,12 @@
Changes
=======
+1.26.18 (2023-10-17)
+--------------------
+
+* Made body stripped from HTTP requests changing the request method to GET
after HTTP 303 "See Other" redirect responses.
+
+
1.26.17 (2023-10-02)
--------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-1.26.17/test/with_dummyserver/test_connectionpool.py
new/urllib3-1.26.18/test/with_dummyserver/test_connectionpool.py
--- old/urllib3-1.26.17/test/with_dummyserver/test_connectionpool.py
2023-10-02 19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/test/with_dummyserver/test_connectionpool.py
2023-10-17 19:42:56.000000000 +0200
@@ -464,6 +464,17 @@
assert r.status == 200
assert r.data == b"Dummy server!"
+ def test_303_redirect_makes_request_lose_body(self):
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ response = pool.request(
+ "POST",
+ "/redirect",
+ fields={"target": "/headers_and_params", "status": "303 See
Other"},
+ )
+ data = json.loads(response.data)
+ assert data["params"] == {}
+ assert "Content-Type" not in HTTPHeaderDict(data["headers"])
+
def test_bad_connect(self):
with HTTPConnectionPool("badhost.invalid", self.port) as pool:
with pytest.raises(MaxRetryError) as e:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-1.26.17/test/with_dummyserver/test_poolmanager.py
new/urllib3-1.26.18/test/with_dummyserver/test_poolmanager.py
--- old/urllib3-1.26.17/test/with_dummyserver/test_poolmanager.py
2023-10-02 19:18:24.000000000 +0200
+++ new/urllib3-1.26.18/test/with_dummyserver/test_poolmanager.py
2023-10-17 19:42:56.000000000 +0200
@@ -5,6 +5,7 @@
from dummyserver.server import HAS_IPV6
from dummyserver.testcase import HTTPDummyServerTestCase,
IPv6HTTPDummyServerTestCase
+from urllib3._collections import HTTPHeaderDict
from urllib3.connectionpool import port_by_scheme
from urllib3.exceptions import MaxRetryError, URLSchemeUnknown
from urllib3.poolmanager import PoolManager
@@ -236,6 +237,20 @@
assert r._pool.num_connections == 1
assert len(http.pools) == 1
+ def test_303_redirect_makes_request_lose_body(self):
+ with PoolManager() as http:
+ response = http.request(
+ "POST",
+ "%s/redirect" % self.base_url,
+ fields={
+ "target": "%s/headers_and_params" % self.base_url,
+ "status": "303 See Other",
+ },
+ )
+ data = json.loads(response.data)
+ assert data["params"] == {}
+ assert "Content-Type" not in HTTPHeaderDict(data["headers"])
+
def test_unknown_scheme(self):
with PoolManager() as http:
unknown_scheme = "unknown"
