Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-requests for openSUSE:Factory checked in at 2023-06-14 16:28:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-requests (Old) and /work/SRC/openSUSE:Factory/.python-requests.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-requests" Wed Jun 14 16:28:35 2023 rev:79 rq:1092607 version:2.31.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-requests/python-requests.changes 2023-05-19 11:55:25.819231894 +0200 +++ /work/SRC/openSUSE:Factory/.python-requests.new.15902/python-requests.changes 2023-06-14 16:28:41.066226670 +0200 @@ -1,0 +2,27 @@ +Mon Jun 12 12:02:29 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com> + +- Delete requests-no-hardcoded-version.patch +- Security Update to 2.31.0 (bsc#1211674): + Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential + forwarding of Proxy-Authorization headers to destination servers when + following HTTPS redirects. + + When proxies are defined with user info (https://user:pass@proxy:8080), Requests + will construct a Proxy-Authorization header that is attached to the request to + authenticate with the proxy. + + In cases where Requests receives a redirect response, it previously reattached + the Proxy-Authorization header incorrectly, resulting in the value being + sent through the tunneled connection to the destination server. Users who rely on + defining their proxy credentials in the URL are strongly encouraged to upgrade + to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy + credentials once the change has been fully deployed. + + Users who do not use a proxy or do not supply their proxy credentials through + the user information portion of their proxy URL are not subject to this + vulnerability. + + Full details can be read in our Github Security Advisory + and CVE-2023-32681. + +------------------------------------------------------------------- Old: ---- requests-2.30.0.tar.gz requests-no-hardcoded-version.patch New: ---- requests-2.31.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-requests.spec ++++++ --- /var/tmp/diff_new_pack.89533T/_old 2023-06-14 16:28:41.678230433 +0200 +++ /var/tmp/diff_new_pack.89533T/_new 2023-06-14 16:28:41.678230433 +0200 @@ -26,14 +26,12 @@ %endif %{?sle15_python_module_pythons} Name: python-requests%{psuffix} -Version: 2.30.0 +Version: 2.31.0 Release: 0 Summary: Python HTTP Library License: Apache-2.0 URL: https://docs.python-requests.org/ Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz -# PATCH-FIX-UPSTREAM: Allow charset normalizer >=2 and <4, and don't strict require httpbin===1.0.0 -Patch0: requests-no-hardcoded-version.patch BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module setuptools} BuildRequires: fdupes ++++++ requests-2.30.0.tar.gz -> requests-2.31.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/HISTORY.md new/requests-2.31.0/HISTORY.md --- old/requests-2.30.0/HISTORY.md 2023-05-03 17:41:00.000000000 +0200 +++ new/requests-2.31.0/HISTORY.md 2023-05-22 17:11:02.000000000 +0200 @@ -6,6 +6,33 @@ - \[Short description of non-trivial change.\] +2.31.0 (2023-05-22) +------------------- + +**Security** +- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential + forwarding of `Proxy-Authorization` headers to destination servers when + following HTTPS redirects. + + When proxies are defined with user info (https://user:pass@proxy:8080), Requests + will construct a `Proxy-Authorization` header that is attached to the request to + authenticate with the proxy. + + In cases where Requests receives a redirect response, it previously reattached + the `Proxy-Authorization` header incorrectly, resulting in the value being + sent through the tunneled connection to the destination server. Users who rely on + defining their proxy credentials in the URL are *strongly* encouraged to upgrade + to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy + credentials once the change has been fully deployed. + + Users who do not use a proxy or do not supply their proxy credentials through + the user information portion of their proxy URL are not subject to this + vulnerability. + + Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q) + and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681). + + 2.30.0 (2023-05-03) ------------------- @@ -73,7 +100,7 @@ cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074) - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with `requests.exceptions.SSLError` for `content` and `iter_content`. (#6057) -- Fixed issue where invalid Windows registry entires caused proxy resolution +- Fixed issue where invalid Windows registry entries caused proxy resolution to raise an exception rather than ignoring the entry. (#6149) - Fixed issue where entire payload could be included in the error message for JSONDecodeError. (#6036) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/PKG-INFO new/requests-2.31.0/PKG-INFO --- old/requests-2.30.0/PKG-INFO 2023-05-03 17:43:34.000000000 +0200 +++ new/requests-2.31.0/PKG-INFO 2023-05-22 17:12:15.497877100 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: requests -Version: 2.30.0 +Version: 2.31.0 Summary: Python HTTP for Humans. Home-page: https://requests.readthedocs.io Author: Kenneth Reitz @@ -8,85 +8,6 @@ License: Apache 2.0 Project-URL: Documentation, https://requests.readthedocs.io Project-URL: Source, https://github.com/psf/requests -Description: # Requests - - **Requests** is a simple, yet elegant, HTTP library. - - ```python - >>> import requests - >>> r = requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user', 'pass')) - >>> r.status_code - 200 - >>> r.headers['content-type'] - 'application/json; charset=utf8' - >>> r.encoding - 'utf-8' - >>> r.text - '{"authenticated": true, ...' - >>> r.json() - {'authenticated': True, ...} - ``` - - Requests allows you to send HTTP/1.1 requests extremely easily. Thereâs no need to manually add query strings to your URLs, or to form-encode your `PUT` & `POST` data â but nowadays, just use the `json` method! - - Requests is one of the most downloaded Python packages today, pulling in around `30M downloads / week`â according to GitHub, Requests is currently [depended upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D) by `1,000,000+` repositories. You may certainly put your trust in this code. - - [![Downloads](https://pepy.tech/badge/requests/month)](https://pepy.tech/project/requests) - [![Supported Versions](https://img.shields.io/pypi/pyversions/requests.svg)](https://pypi.org/project/requests) - [![Contributors](https://img.shields.io/github/contributors/psf/requests.svg)](https://github.com/psf/requests/graphs/contributors) - - ## Installing Requests and Supported Versions - - Requests is available on PyPI: - - ```console - $ python -m pip install requests - ``` - - Requests officially supports Python 3.7+. - - ## Supported Features & BestâPractices - - Requests is ready for the demands of building robust and reliable HTTPâspeaking applications, for the needs of today. - - - Keep-Alive & Connection Pooling - - International Domains and URLs - - Sessions with Cookie Persistence - - Browser-style TLS/SSL Verification - - Basic & Digest Authentication - - Familiar `dict`âlike Cookies - - Automatic Content Decompression and Decoding - - Multi-part File Uploads - - SOCKS Proxy Support - - Connection Timeouts - - Streaming Downloads - - Automatic honoring of `.netrc` - - Chunked HTTP Requests - - ## API Reference and User Guide available on [Read the Docs](https://requests.readthedocs.io) - - [![Read the Docs](https://raw.githubusercontent.com/psf/requests/main/ext/ss.png)](https://requests.readthedocs.io) - - ## Cloning the repository - - When cloning the Requests repository, you may need to add the `-c - fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see - [this issue](https://github.com/psf/requests/issues/2690) for more background): - - ```shell - git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git - ``` - - You can also apply this setting to your global Git config: - - ```shell - git config --global fetch.fsck.badTimezone ignore - ``` - - --- - - [![Kenneth Reitz](https://raw.githubusercontent.com/psf/requests/main/ext/kr.png)](https://kennethreitz.org) [![Python Software Foundation](https://raw.githubusercontent.com/psf/requests/main/ext/psf.png)](https://www.python.org/psf) - Platform: UNKNOWN Classifier: Development Status :: 5 - Production/Stable Classifier: Environment :: Web Environment @@ -111,3 +32,85 @@ Provides-Extra: security Provides-Extra: socks Provides-Extra: use_chardet_on_py3 +License-File: LICENSE + +# Requests + +**Requests** is a simple, yet elegant, HTTP library. + +```python +>>> import requests +>>> r = requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user', 'pass')) +>>> r.status_code +200 +>>> r.headers['content-type'] +'application/json; charset=utf8' +>>> r.encoding +'utf-8' +>>> r.text +'{"authenticated": true, ...' +>>> r.json() +{'authenticated': True, ...} +``` + +Requests allows you to send HTTP/1.1 requests extremely easily. Thereâs no need to manually add query strings to your URLs, or to form-encode your `PUT` & `POST` data â but nowadays, just use the `json` method! + +Requests is one of the most downloaded Python packages today, pulling in around `30M downloads / week`â according to GitHub, Requests is currently [depended upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D) by `1,000,000+` repositories. You may certainly put your trust in this code. + +[![Downloads](https://pepy.tech/badge/requests/month)](https://pepy.tech/project/requests) +[![Supported Versions](https://img.shields.io/pypi/pyversions/requests.svg)](https://pypi.org/project/requests) +[![Contributors](https://img.shields.io/github/contributors/psf/requests.svg)](https://github.com/psf/requests/graphs/contributors) + +## Installing Requests and Supported Versions + +Requests is available on PyPI: + +```console +$ python -m pip install requests +``` + +Requests officially supports Python 3.7+. + +## Supported Features & BestâPractices + +Requests is ready for the demands of building robust and reliable HTTPâspeaking applications, for the needs of today. + +- Keep-Alive & Connection Pooling +- International Domains and URLs +- Sessions with Cookie Persistence +- Browser-style TLS/SSL Verification +- Basic & Digest Authentication +- Familiar `dict`âlike Cookies +- Automatic Content Decompression and Decoding +- Multi-part File Uploads +- SOCKS Proxy Support +- Connection Timeouts +- Streaming Downloads +- Automatic honoring of `.netrc` +- Chunked HTTP Requests + +## API Reference and User Guide available on [Read the Docs](https://requests.readthedocs.io) + +[![Read the Docs](https://raw.githubusercontent.com/psf/requests/main/ext/ss.png)](https://requests.readthedocs.io) + +## Cloning the repository + +When cloning the Requests repository, you may need to add the `-c +fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see +[this issue](https://github.com/psf/requests/issues/2690) for more background): + +```shell +git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git +``` + +You can also apply this setting to your global Git config: + +```shell +git config --global fetch.fsck.badTimezone ignore +``` + +--- + +[![Kenneth Reitz](https://raw.githubusercontent.com/psf/requests/main/ext/kr.png)](https://kennethreitz.org) [![Python Software Foundation](https://raw.githubusercontent.com/psf/requests/main/ext/psf.png)](https://www.python.org/psf) + + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/requests/__version__.py new/requests-2.31.0/requests/__version__.py --- old/requests-2.30.0/requests/__version__.py 2023-05-03 17:41:00.000000000 +0200 +++ new/requests-2.31.0/requests/__version__.py 2023-05-22 17:11:02.000000000 +0200 @@ -5,8 +5,8 @@ __title__ = "requests" __description__ = "Python HTTP for Humans." __url__ = "https://requests.readthedocs.io" -__version__ = "2.30.0" -__build__ = 0x023000 +__version__ = "2.31.0" +__build__ = 0x023100 __author__ = "Kenneth Reitz" __author_email__ = "m...@kennethreitz.org" __license__ = "Apache 2.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/requests/sessions.py new/requests-2.31.0/requests/sessions.py --- old/requests-2.30.0/requests/sessions.py 2023-05-03 17:41:00.000000000 +0200 +++ new/requests-2.31.0/requests/sessions.py 2023-05-22 17:11:02.000000000 +0200 @@ -324,7 +324,9 @@ except KeyError: username, password = None, None - if username and password: + # urllib3 handles proxy authorization for us in the standard adapter. + # Avoid appending this to TLS tunneled requests where it may be leaked. + if not scheme.startswith('https') and username and password: headers["Proxy-Authorization"] = _basic_auth_str(username, password) return new_proxies diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/requests.egg-info/PKG-INFO new/requests-2.31.0/requests.egg-info/PKG-INFO --- old/requests-2.30.0/requests.egg-info/PKG-INFO 2023-05-03 17:43:34.000000000 +0200 +++ new/requests-2.31.0/requests.egg-info/PKG-INFO 2023-05-22 17:12:15.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: requests -Version: 2.30.0 +Version: 2.31.0 Summary: Python HTTP for Humans. Home-page: https://requests.readthedocs.io Author: Kenneth Reitz @@ -8,85 +8,6 @@ License: Apache 2.0 Project-URL: Documentation, https://requests.readthedocs.io Project-URL: Source, https://github.com/psf/requests -Description: # Requests - - **Requests** is a simple, yet elegant, HTTP library. - - ```python - >>> import requests - >>> r = requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user', 'pass')) - >>> r.status_code - 200 - >>> r.headers['content-type'] - 'application/json; charset=utf8' - >>> r.encoding - 'utf-8' - >>> r.text - '{"authenticated": true, ...' - >>> r.json() - {'authenticated': True, ...} - ``` - - Requests allows you to send HTTP/1.1 requests extremely easily. Thereâs no need to manually add query strings to your URLs, or to form-encode your `PUT` & `POST` data â but nowadays, just use the `json` method! - - Requests is one of the most downloaded Python packages today, pulling in around `30M downloads / week`â according to GitHub, Requests is currently [depended upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D) by `1,000,000+` repositories. You may certainly put your trust in this code. - - [![Downloads](https://pepy.tech/badge/requests/month)](https://pepy.tech/project/requests) - [![Supported Versions](https://img.shields.io/pypi/pyversions/requests.svg)](https://pypi.org/project/requests) - [![Contributors](https://img.shields.io/github/contributors/psf/requests.svg)](https://github.com/psf/requests/graphs/contributors) - - ## Installing Requests and Supported Versions - - Requests is available on PyPI: - - ```console - $ python -m pip install requests - ``` - - Requests officially supports Python 3.7+. - - ## Supported Features & BestâPractices - - Requests is ready for the demands of building robust and reliable HTTPâspeaking applications, for the needs of today. - - - Keep-Alive & Connection Pooling - - International Domains and URLs - - Sessions with Cookie Persistence - - Browser-style TLS/SSL Verification - - Basic & Digest Authentication - - Familiar `dict`âlike Cookies - - Automatic Content Decompression and Decoding - - Multi-part File Uploads - - SOCKS Proxy Support - - Connection Timeouts - - Streaming Downloads - - Automatic honoring of `.netrc` - - Chunked HTTP Requests - - ## API Reference and User Guide available on [Read the Docs](https://requests.readthedocs.io) - - [![Read the Docs](https://raw.githubusercontent.com/psf/requests/main/ext/ss.png)](https://requests.readthedocs.io) - - ## Cloning the repository - - When cloning the Requests repository, you may need to add the `-c - fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see - [this issue](https://github.com/psf/requests/issues/2690) for more background): - - ```shell - git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git - ``` - - You can also apply this setting to your global Git config: - - ```shell - git config --global fetch.fsck.badTimezone ignore - ``` - - --- - - [![Kenneth Reitz](https://raw.githubusercontent.com/psf/requests/main/ext/kr.png)](https://kennethreitz.org) [![Python Software Foundation](https://raw.githubusercontent.com/psf/requests/main/ext/psf.png)](https://www.python.org/psf) - Platform: UNKNOWN Classifier: Development Status :: 5 - Production/Stable Classifier: Environment :: Web Environment @@ -111,3 +32,85 @@ Provides-Extra: security Provides-Extra: socks Provides-Extra: use_chardet_on_py3 +License-File: LICENSE + +# Requests + +**Requests** is a simple, yet elegant, HTTP library. + +```python +>>> import requests +>>> r = requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user', 'pass')) +>>> r.status_code +200 +>>> r.headers['content-type'] +'application/json; charset=utf8' +>>> r.encoding +'utf-8' +>>> r.text +'{"authenticated": true, ...' +>>> r.json() +{'authenticated': True, ...} +``` + +Requests allows you to send HTTP/1.1 requests extremely easily. Thereâs no need to manually add query strings to your URLs, or to form-encode your `PUT` & `POST` data â but nowadays, just use the `json` method! + +Requests is one of the most downloaded Python packages today, pulling in around `30M downloads / week`â according to GitHub, Requests is currently [depended upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D) by `1,000,000+` repositories. You may certainly put your trust in this code. + +[![Downloads](https://pepy.tech/badge/requests/month)](https://pepy.tech/project/requests) +[![Supported Versions](https://img.shields.io/pypi/pyversions/requests.svg)](https://pypi.org/project/requests) +[![Contributors](https://img.shields.io/github/contributors/psf/requests.svg)](https://github.com/psf/requests/graphs/contributors) + +## Installing Requests and Supported Versions + +Requests is available on PyPI: + +```console +$ python -m pip install requests +``` + +Requests officially supports Python 3.7+. + +## Supported Features & BestâPractices + +Requests is ready for the demands of building robust and reliable HTTPâspeaking applications, for the needs of today. + +- Keep-Alive & Connection Pooling +- International Domains and URLs +- Sessions with Cookie Persistence +- Browser-style TLS/SSL Verification +- Basic & Digest Authentication +- Familiar `dict`âlike Cookies +- Automatic Content Decompression and Decoding +- Multi-part File Uploads +- SOCKS Proxy Support +- Connection Timeouts +- Streaming Downloads +- Automatic honoring of `.netrc` +- Chunked HTTP Requests + +## API Reference and User Guide available on [Read the Docs](https://requests.readthedocs.io) + +[![Read the Docs](https://raw.githubusercontent.com/psf/requests/main/ext/ss.png)](https://requests.readthedocs.io) + +## Cloning the repository + +When cloning the Requests repository, you may need to add the `-c +fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see +[this issue](https://github.com/psf/requests/issues/2690) for more background): + +```shell +git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git +``` + +You can also apply this setting to your global Git config: + +```shell +git config --global fetch.fsck.badTimezone ignore +``` + +--- + +[![Kenneth Reitz](https://raw.githubusercontent.com/psf/requests/main/ext/kr.png)](https://kennethreitz.org) [![Python Software Foundation](https://raw.githubusercontent.com/psf/requests/main/ext/psf.png)](https://www.python.org/psf) + + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/requirements-dev.txt new/requests-2.31.0/requirements-dev.txt --- old/requests-2.30.0/requirements-dev.txt 2023-05-03 17:41:00.000000000 +0200 +++ new/requests-2.31.0/requirements-dev.txt 2023-05-22 17:08:07.000000000 +0200 @@ -1,7 +1,7 @@ -e .[socks] pytest>=2.8.0,<=6.2.5 pytest-cov -pytest-httpbin==1.0.0 +pytest-httpbin==2.0.0 pytest-mock==2.0.0 httpbin==0.7.0 trustme diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/setup.py new/requests-2.31.0/setup.py --- old/requests-2.30.0/setup.py 2023-05-03 17:41:00.000000000 +0200 +++ new/requests-2.31.0/setup.py 2023-05-22 17:08:07.000000000 +0200 @@ -65,7 +65,7 @@ "certifi>=2017.4.17", ] test_requirements = [ - "pytest-httpbin==0.0.7", + "pytest-httpbin==2.0.0", "pytest-cov", "pytest-mock", "pytest-xdist", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/requests-2.30.0/tests/test_requests.py new/requests-2.31.0/tests/test_requests.py --- old/requests-2.30.0/tests/test_requests.py 2023-05-03 17:41:00.000000000 +0200 +++ new/requests-2.31.0/tests/test_requests.py 2023-05-22 17:11:02.000000000 +0200 @@ -647,6 +647,26 @@ assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + + @pytest.mark.parametrize( + "url,has_proxy_auth", + ( + ('http://example.com', True), + ('https://example.com', False), + ), + ) + def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): + session = requests.Session() + proxies = { + 'http': 'http://test:pass@localhost:8080', + 'https': 'http://test:pass@localhost:8090', + } + req = requests.Request('GET', url) + prep = req.prepare() + session.rebuild_proxies(prep, proxies) + + assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth + def test_basicauth_with_netrc(self, httpbin): auth = ("user", "pass") wrong_auth = ("wronguser", "wrongpass")