Page MenuHomeSolus
Files F10848766

D4750.id11637.diff
No OneTemporary
Actions

D4750.id11637.diff
View Options

diff --git a/files/security/cve-2018-18074.patch b/files/security/cve-2018-18074.patch
deleted file mode 100644
--- a/files/security/cve-2018-18074.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 3331e2aecdbf575dd60abef4df79c52d78610a83 Mon Sep 17 00:00:00 2001
-From: Bruce Merry <bmerry@ska.ac.za>
-Date: Thu, 28 Jun 2018 16:38:42 +0200
-Subject: [PATCH 1/2] Strip Authorization header whenever root URL changes
-
-Previously the header was stripped only if the hostname changed, but in
-an https -> http redirect that can leak the credentials on the wire
-(#4716). Based on with RFC 7235 section 2.2, the header is now stripped
-if the "canonical root URL" (scheme+authority) has changed, by checking
-scheme, hostname and port.
----
- requests/sessions.py | 4 +++-
- tests/test_requests.py | 12 +++++++++++-
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/requests/sessions.py b/requests/sessions.py
-index dd525e2ac..702cd73ec 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -242,7 +242,9 @@ def rebuild_auth(self, prepared_request, response):
- original_parsed = urlparse(response.request.url)
- redirect_parsed = urlparse(url)
-
-- if (original_parsed.hostname != redirect_parsed.hostname):
-+ if (original_parsed.hostname != redirect_parsed.hostname
-+ or original_parsed.port != redirect_parsed.port
-+ or original_parsed.scheme != redirect_parsed.scheme):
- del headers['Authorization']
-
- # .netrc might have more auth for us on our new host.
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index fd04ad270..b05d8ebb2 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1581,7 +1581,17 @@ def test_auth_is_stripped_on_redirect_off_host(self, httpbin):
- auth=('user', 'pass'),
- )
- assert r.history[0].request.headers['Authorization']
-- assert not r.request.headers.get('Authorization', '')
-+ assert 'Authorization' not in r.request.headers
-+
-+ def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle):
-+ r = requests.get(
-+ httpbin_secure('redirect-to'),
-+ params={'url': httpbin('get')},
-+ auth=('user', 'pass'),
-+ verify=httpbin_ca_bundle
-+ )
-+ assert r.history[0].request.headers['Authorization']
-+ assert 'Authorization' not in r.request.headers
-
- def test_auth_is_retained_for_redirect_on_host(self, httpbin):
- r = requests.get(httpbin('redirect/1'), auth=('user', 'pass'))
-
-From 857e9b7ac20c3accf4cc328f594aecb8b6a644a6 Mon Sep 17 00:00:00 2001
-From: Bruce Merry <bmerry@ska.ac.za>
-Date: Tue, 14 Aug 2018 13:30:43 +0200
-Subject: [PATCH 2/2] Rework authorization stripping logic as discussed
-
-The exception for http->https upgrade now requires the standard HTTP(S)
-ports to be used, either implicitly (no port specified) or explicitly.
----
- requests/sessions.py | 26 ++++++++++++++++++--------
- tests/test_requests.py | 33 ++++++++++++++++++++++-----------
- 2 files changed, 40 insertions(+), 19 deletions(-)
-
-diff --git a/requests/sessions.py b/requests/sessions.py
-index 702cd73ec..27d0e9717 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -115,6 +115,22 @@ def get_redirect_target(self, resp):
- return to_native_string(location, 'utf8')
- return None
-
-+ def should_strip_auth(self, old_url, new_url):
-+ """Decide whether Authorization header should be removed when redirecting"""
-+ old_parsed = urlparse(old_url)
-+ new_parsed = urlparse(new_url)
-+ if old_parsed.hostname != new_parsed.hostname:
-+ return True
-+ # Special case: allow http -> https redirect when using the standard
-+ # ports. This isn't specified by RFC 7235, but is kept to avoid
-+ # breaking backwards compatibility with older versions of requests
-+ # that allowed any redirects on the same host.
-+ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
-+ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
-+ return False
-+ # Standard case: root URI must match
-+ return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
-+
- def resolve_redirects(self, resp, req, stream=False, timeout=None,
- verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
- """Receives a Response. Returns a generator of Responses or Requests."""
-@@ -236,16 +252,10 @@ def rebuild_auth(self, prepared_request, response):
- headers = prepared_request.headers
- url = prepared_request.url
-
-- if 'Authorization' in headers:
-+ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
- # If we get redirected to a new host, we should strip out any
- # authentication headers.
-- original_parsed = urlparse(response.request.url)
-- redirect_parsed = urlparse(url)
--
-- if (original_parsed.hostname != redirect_parsed.hostname
-- or original_parsed.port != redirect_parsed.port
-- or original_parsed.scheme != redirect_parsed.scheme):
-- del headers['Authorization']
-+ del headers['Authorization']
-
- # .netrc might have more auth for us on our new host.
- new_auth = get_netrc_auth(url) if self.trust_env else None
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index b05d8ebb2..660437988 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1573,17 +1573,7 @@ def test_nonhttp_schemes_dont_check_URLs(self):
- preq = req.prepare()
- assert test_url == preq.url
-
-- @pytest.mark.xfail(raises=ConnectionError)
-- def test_auth_is_stripped_on_redirect_off_host(self, httpbin):
-- r = requests.get(
-- httpbin('redirect-to'),
-- params={'url': 'http://www.google.co.uk'},
-- auth=('user', 'pass'),
-- )
-- assert r.history[0].request.headers['Authorization']
-- assert 'Authorization' not in r.request.headers
--
-- def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle):
-+ def test_auth_is_stripped_on_http_downgrade(self, httpbin, httpbin_secure, httpbin_ca_bundle):
- r = requests.get(
- httpbin_secure('redirect-to'),
- params={'url': httpbin('get')},
-@@ -1600,6 +1590,27 @@ def test_auth_is_retained_for_redirect_on_host(self, httpbin):
-
- assert h1 == h2
-
-+ def test_should_strip_auth_host_change(self):
-+ s = requests.Session()
-+ assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/')
-+
-+ def test_should_strip_auth_http_downgrade(self):
-+ s = requests.Session()
-+ assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar')
-+
-+ def test_should_strip_auth_https_upgrade(self):
-+ s = requests.Session()
-+ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar')
-+ assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar')
-+ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar')
-+ # Non-standard ports should trigger stripping
-+ assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar')
-+ assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar')
-+
-+ def test_should_strip_auth_port_change(self):
-+ s = requests.Session()
-+ assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
-+
- def test_manual_redirect_with_partial_body_read(self, httpbin):
- s = requests.Session()
- r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
diff --git a/package.yml b/package.yml
--- a/package.yml
+++ b/package.yml
@@ -1,13 +1,14 @@
name : python-requests
-version : 2.18.4
-release : 5
+version : 2.21.0
+release : 6
source :
- - https://github.com/requests/requests/archive/v2.18.4.tar.gz : b068ccce3b739a29cbf72148b0ff4be3d80198fb7cdbd63066f7384bb56ef917
+ - https://github.com/requests/requests/archive/v2.21.0.tar.gz : 9f9a50b5f64f4569704b9c5e618b957109e3486256453c9016c6dbfa10570761
license : Apache-2.0
component : programming.python
summary : Python HTTP for Humans
description: |
Requests allows you to send organic, grass-fed HTTP/1.1 requests, without the need for manual labor. There's no need to manually add query strings to your URLs, or to form-encode your POST data. Keep-alive and HTTP connection pooling are 100% automatic, thanks to urllib3.
+networking : yes
builddeps :
- python-certifi
- python-chardet
@@ -19,11 +20,12 @@
- python-chardet
- python-idna
- python-urllib3
-setup : |
- %patch -p1 < $pkgfiles/security/cve-2018-18074.patch
build : |
%python_setup
%python3_setup
install : |
%python_install
%python3_install
+check : |
+ %python_test
+ %python3_test
\ No newline at end of file
diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml
--- a/pspec_x86_64.xml
+++ b/pspec_x86_64.xml
@@ -2,8 +2,8 @@
<Source>
<Name>python-requests</Name>
<Packager>
- <Name>Peter O&apos;Connor</Name>
- <Email>peter@solus-project.com</Email>
+ <Name>F. von Gellhorn</Name>
+ <Email>flinux@vongellhorn.ch</Email>
</Packager>
<License>Apache-2.0</License>
<PartOf>programming.python</PartOf>
@@ -19,12 +19,12 @@
</Description>
<PartOf>programming.python</PartOf>
<Files>
- <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.18.4-py2.7.egg-info/PKG-INFO</Path>
- <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.18.4-py2.7.egg-info/SOURCES.txt</Path>
- <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.18.4-py2.7.egg-info/dependency_links.txt</Path>
- <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.18.4-py2.7.egg-info/not-zip-safe</Path>
- <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.18.4-py2.7.egg-info/requires.txt</Path>
- <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.18.4-py2.7.egg-info/top_level.txt</Path>
+ <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.21.0-py2.7.egg-info/PKG-INFO</Path>
+ <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.21.0-py2.7.egg-info/SOURCES.txt</Path>
+ <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.21.0-py2.7.egg-info/dependency_links.txt</Path>
+ <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.21.0-py2.7.egg-info/not-zip-safe</Path>
+ <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.21.0-py2.7.egg-info/requires.txt</Path>
+ <Path fileType="library">/usr/lib/python2.7/site-packages/requests-2.21.0-py2.7.egg-info/top_level.txt</Path>
<Path fileType="library">/usr/lib/python2.7/site-packages/requests/__init__.py</Path>
<Path fileType="library">/usr/lib/python2.7/site-packages/requests/__init__.pyc</Path>
<Path fileType="library">/usr/lib/python2.7/site-packages/requests/__version__.py</Path>
@@ -61,12 +61,12 @@
<Path fileType="library">/usr/lib/python2.7/site-packages/requests/structures.pyc</Path>
<Path fileType="library">/usr/lib/python2.7/site-packages/requests/utils.py</Path>
<Path fileType="library">/usr/lib/python2.7/site-packages/requests/utils.pyc</Path>
- <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.18.4-py3.6.egg-info/PKG-INFO</Path>
- <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.18.4-py3.6.egg-info/SOURCES.txt</Path>
- <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.18.4-py3.6.egg-info/dependency_links.txt</Path>
- <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.18.4-py3.6.egg-info/not-zip-safe</Path>
- <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.18.4-py3.6.egg-info/requires.txt</Path>
- <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.18.4-py3.6.egg-info/top_level.txt</Path>
+ <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.21.0-py3.6.egg-info/PKG-INFO</Path>
+ <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.21.0-py3.6.egg-info/SOURCES.txt</Path>
+ <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.21.0-py3.6.egg-info/dependency_links.txt</Path>
+ <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.21.0-py3.6.egg-info/not-zip-safe</Path>
+ <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.21.0-py3.6.egg-info/requires.txt</Path>
+ <Path fileType="library">/usr/lib/python3.6/site-packages/requests-2.21.0-py3.6.egg-info/top_level.txt</Path>
<Path fileType="library">/usr/lib/python3.6/site-packages/requests/__init__.py</Path>
<Path fileType="library">/usr/lib/python3.6/site-packages/requests/__pycache__/__init__.cpython-36.pyc</Path>
<Path fileType="library">/usr/lib/python3.6/site-packages/requests/__pycache__/__version__.cpython-36.pyc</Path>
@@ -106,12 +106,12 @@
</Files>
</Package>
<History>
- <Update release="5">
- <Date>2018-10-23</Date>
- <Version>2.18.4</Version>
+ <Update release="6">
+ <Date>2018-12-20</Date>
+ <Version>2.21.0</Version>
<Comment>Packaging update</Comment>
- <Name>Peter O&apos;Connor</Name>
- <Email>peter@solus-project.com</Email>
+ <Name>F. von Gellhorn</Name>
+ <Email>flinux@vongellhorn.ch</Email>
</Update>
</History>
</PISI>
\ No newline at end of file

File Metadata

Mime Type
text/plain
Expires
Jun 12 2023, 4:35 PM (8 w, 1 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5792629
Default Alt Text
D4750.id11637.diff (14 KB)

Event Timeline

Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.