Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-requests for openSUSE:Factory
checked in at 2023-06-14 16:28:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-requests (Old)
and /work/SRC/openSUSE:Factory/.python-requests.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-requests"
Wed Jun 14 16:28:35 2023 rev:79 rq:1092607 version:2.31.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-requests/python-requests.changes
2023-05-19 11:55:25.819231894 +0200
+++
/work/SRC/openSUSE:Factory/.python-requests.new.15902/python-requests.changes
2023-06-14 16:28:41.066226670 +0200
@@ -1,0 +2,27 @@
+Mon Jun 12 12:02:29 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com>
+
+- Delete requests-no-hardcoded-version.patch
+- Security Update to 2.31.0 (bsc#1211674):
+ Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
+ forwarding of Proxy-Authorization headers to destination servers when
+ following HTTPS redirects.
+
+ When proxies are defined with user info (https://user:pass@proxy:8080),
Requests
+ will construct a Proxy-Authorization header that is attached to the request
to
+ authenticate with the proxy.
+
+ In cases where Requests receives a redirect response, it previously
reattached
+ the Proxy-Authorization header incorrectly, resulting in the value being
+ sent through the tunneled connection to the destination server. Users who
rely on
+ defining their proxy credentials in the URL are strongly encouraged to
upgrade
+ to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
+ credentials once the change has been fully deployed.
+
+ Users who do not use a proxy or do not supply their proxy credentials through
+ the user information portion of their proxy URL are not subject to this
+ vulnerability.
+
+ Full details can be read in our Github Security Advisory
+ and CVE-2023-32681.
+
+-------------------------------------------------------------------
Old:
----
requests-2.30.0.tar.gz
requests-no-hardcoded-version.patch
New:
----
requests-2.31.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-requests.spec ++++++
--- /var/tmp/diff_new_pack.89533T/_old 2023-06-14 16:28:41.678230433 +0200
+++ /var/tmp/diff_new_pack.89533T/_new 2023-06-14 16:28:41.678230433 +0200
@@ -26,14 +26,12 @@
%endif
%{?sle15_python_module_pythons}
Name: python-requests%{psuffix}
-Version: 2.30.0
+Version: 2.31.0
Release: 0
Summary: Python HTTP Library
License: Apache-2.0
URL: https://docs.python-requests.org/
Source:
https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM: Allow charset normalizer >=2 and <4, and don't strict
require httpbin===1.0.0
-Patch0: requests-no-hardcoded-version.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
++++++ requests-2.30.0.tar.gz -> requests-2.31.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/HISTORY.md
new/requests-2.31.0/HISTORY.md
--- old/requests-2.30.0/HISTORY.md 2023-05-03 17:41:00.000000000 +0200
+++ new/requests-2.31.0/HISTORY.md 2023-05-22 17:11:02.000000000 +0200
@@ -6,6 +6,33 @@
- \[Short description of non-trivial change.\]
+2.31.0 (2023-05-22)
+-------------------
+
+**Security**
+- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
+ forwarding of `Proxy-Authorization` headers to destination servers when
+ following HTTPS redirects.
+
+ When proxies are defined with user info (https://user:pass@proxy:8080),
Requests
+ will construct a `Proxy-Authorization` header that is attached to the
request to
+ authenticate with the proxy.
+
+ In cases where Requests receives a redirect response, it previously
reattached
+ the `Proxy-Authorization` header incorrectly, resulting in the value being
+ sent through the tunneled connection to the destination server. Users who
rely on
+ defining their proxy credentials in the URL are *strongly* encouraged to
upgrade
+ to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
+ credentials once the change has been fully deployed.
+
+ Users who do not use a proxy or do not supply their proxy credentials through
+ the user information portion of their proxy URL are not subject to this
+ vulnerability.
+
+ Full details can be read in our [Github Security
Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
+ and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
+
+
2.30.0 (2023-05-03)
-------------------
@@ -73,7 +100,7 @@
cert verification. All Requests 2.x versions before 2.28.0 are affected.
(#6074)
- Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with
`requests.exceptions.SSLError` for `content` and `iter_content`. (#6057)
-- Fixed issue where invalid Windows registry entires caused proxy resolution
+- Fixed issue where invalid Windows registry entries caused proxy resolution
to raise an exception rather than ignoring the entry. (#6149)
- Fixed issue where entire payload could be included in the error message for
JSONDecodeError. (#6036)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/PKG-INFO new/requests-2.31.0/PKG-INFO
--- old/requests-2.30.0/PKG-INFO 2023-05-03 17:43:34.000000000 +0200
+++ new/requests-2.31.0/PKG-INFO 2023-05-22 17:12:15.497877100 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: requests
-Version: 2.30.0
+Version: 2.31.0
Summary: Python HTTP for Humans.
Home-page: https://requests.readthedocs.io
Author: Kenneth Reitz
@@ -8,85 +8,6 @@
License: Apache 2.0
Project-URL: Documentation, https://requests.readthedocs.io
Project-URL: Source, https://github.com/psf/requests
-Description: # Requests
-
- **Requests** is a simple, yet elegant, HTTP library.
-
- ```python
- >>> import requests
- >>> r = requests.get('https://httpbin.org/basic-auth/user/pass',
auth=('user', 'pass'))
- >>> r.status_code
- 200
- >>> r.headers['content-type']
- 'application/json; charset=utf8'
- >>> r.encoding
- 'utf-8'
- >>> r.text
- '{"authenticated": true, ...'
- >>> r.json()
- {'authenticated': True, ...}
- ```
-
- Requests allows you to send HTTP/1.1 requests extremely easily.
Thereâs no need to manually add query strings to your URLs, or to form-encode
your `PUT` & `POST` data â but nowadays, just use the `json` method!
-
- Requests is one of the most downloaded Python packages today, pulling
in around `30M downloads / week`â according to GitHub, Requests is currently
[depended
upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D)
by `1,000,000+` repositories. You may certainly put your trust in this code.
-
-
[](https://pepy.tech/project/requests)
- [](https://pypi.org/project/requests)
-
[](https://github.com/psf/requests/graphs/contributors)
-
- ## Installing Requests and Supported Versions
-
- Requests is available on PyPI:
-
- ```console
- $ python -m pip install requests
- ```
-
- Requests officially supports Python 3.7+.
-
- ## Supported Features & BestâPractices
-
- Requests is ready for the demands of building robust and reliable
HTTPâspeaking applications, for the needs of today.
-
- - Keep-Alive & Connection Pooling
- - International Domains and URLs
- - Sessions with Cookie Persistence
- - Browser-style TLS/SSL Verification
- - Basic & Digest Authentication
- - Familiar `dict`âlike Cookies
- - Automatic Content Decompression and Decoding
- - Multi-part File Uploads
- - SOCKS Proxy Support
- - Connection Timeouts
- - Streaming Downloads
- - Automatic honoring of `.netrc`
- - Chunked HTTP Requests
-
- ## API Reference and User Guide available on [Read the
Docs](https://requests.readthedocs.io)
-
- [](https://requests.readthedocs.io)
-
- ## Cloning the repository
-
- When cloning the Requests repository, you may need to add the `-c
- fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad
commit (see
- [this issue](https://github.com/psf/requests/issues/2690) for more
background):
-
- ```shell
- git clone -c fetch.fsck.badTimezone=ignore
https://github.com/psf/requests.git
- ```
-
- You can also apply this setting to your global Git config:
-
- ```shell
- git config --global fetch.fsck.badTimezone ignore
- ```
-
- ---
-
- [](https://kennethreitz.org)
[](https://www.python.org/psf)
-
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
@@ -111,3 +32,85 @@
Provides-Extra: security
Provides-Extra: socks
Provides-Extra: use_chardet_on_py3
+License-File: LICENSE
+
+# Requests
+
+**Requests** is a simple, yet elegant, HTTP library.
+
+```python
+>>> import requests
+>>> r = requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user',
'pass'))
+>>> r.status_code
+200
+>>> r.headers['content-type']
+'application/json; charset=utf8'
+>>> r.encoding
+'utf-8'
+>>> r.text
+'{"authenticated": true, ...'
+>>> r.json()
+{'authenticated': True, ...}
+```
+
+Requests allows you to send HTTP/1.1 requests extremely easily. Thereâs no
need to manually add query strings to your URLs, or to form-encode your `PUT` &
`POST` data â but nowadays, just use the `json` method!
+
+Requests is one of the most downloaded Python packages today, pulling in
around `30M downloads / week`â according to GitHub, Requests is currently
[depended
upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D)
by `1,000,000+` repositories. You may certainly put your trust in this code.
+
+[](https://pepy.tech/project/requests)
+[](https://pypi.org/project/requests)
+[](https://github.com/psf/requests/graphs/contributors)
+
+## Installing Requests and Supported Versions
+
+Requests is available on PyPI:
+
+```console
+$ python -m pip install requests
+```
+
+Requests officially supports Python 3.7+.
+
+## Supported Features & BestâPractices
+
+Requests is ready for the demands of building robust and reliable
HTTPâspeaking applications, for the needs of today.
+
+- Keep-Alive & Connection Pooling
+- International Domains and URLs
+- Sessions with Cookie Persistence
+- Browser-style TLS/SSL Verification
+- Basic & Digest Authentication
+- Familiar `dict`âlike Cookies
+- Automatic Content Decompression and Decoding
+- Multi-part File Uploads
+- SOCKS Proxy Support
+- Connection Timeouts
+- Streaming Downloads
+- Automatic honoring of `.netrc`
+- Chunked HTTP Requests
+
+## API Reference and User Guide available on [Read the
Docs](https://requests.readthedocs.io)
+
+[](https://requests.readthedocs.io)
+
+## Cloning the repository
+
+When cloning the Requests repository, you may need to add the `-c
+fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see
+[this issue](https://github.com/psf/requests/issues/2690) for more background):
+
+```shell
+git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git
+```
+
+You can also apply this setting to your global Git config:
+
+```shell
+git config --global fetch.fsck.badTimezone ignore
+```
+
+---
+
+[](https://kennethreitz.org)
[](https://www.python.org/psf)
+
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/requests/__version__.py
new/requests-2.31.0/requests/__version__.py
--- old/requests-2.30.0/requests/__version__.py 2023-05-03 17:41:00.000000000
+0200
+++ new/requests-2.31.0/requests/__version__.py 2023-05-22 17:11:02.000000000
+0200
@@ -5,8 +5,8 @@
__title__ = "requests"
__description__ = "Python HTTP for Humans."
__url__ = "https://requests.readthedocs.io";
-__version__ = "2.30.0"
-__build__ = 0x023000
+__version__ = "2.31.0"
+__build__ = 0x023100
__author__ = "Kenneth Reitz"
__author_email__ = "m...@kennethreitz.org"
__license__ = "Apache 2.0"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/requests/sessions.py
new/requests-2.31.0/requests/sessions.py
--- old/requests-2.30.0/requests/sessions.py 2023-05-03 17:41:00.000000000
+0200
+++ new/requests-2.31.0/requests/sessions.py 2023-05-22 17:11:02.000000000
+0200
@@ -324,7 +324,9 @@
except KeyError:
username, password = None, None
- if username and password:
+ # urllib3 handles proxy authorization for us in the standard adapter.
+ # Avoid appending this to TLS tunneled requests where it may be leaked.
+ if not scheme.startswith('https') and username and password:
headers["Proxy-Authorization"] = _basic_auth_str(username,
password)
return new_proxies
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/requests.egg-info/PKG-INFO
new/requests-2.31.0/requests.egg-info/PKG-INFO
--- old/requests-2.30.0/requests.egg-info/PKG-INFO 2023-05-03
17:43:34.000000000 +0200
+++ new/requests-2.31.0/requests.egg-info/PKG-INFO 2023-05-22
17:12:15.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: requests
-Version: 2.30.0
+Version: 2.31.0
Summary: Python HTTP for Humans.
Home-page: https://requests.readthedocs.io
Author: Kenneth Reitz
@@ -8,85 +8,6 @@
License: Apache 2.0
Project-URL: Documentation, https://requests.readthedocs.io
Project-URL: Source, https://github.com/psf/requests
-Description: # Requests
-
- **Requests** is a simple, yet elegant, HTTP library.
-
- ```python
- >>> import requests
- >>> r = requests.get('https://httpbin.org/basic-auth/user/pass',
auth=('user', 'pass'))
- >>> r.status_code
- 200
- >>> r.headers['content-type']
- 'application/json; charset=utf8'
- >>> r.encoding
- 'utf-8'
- >>> r.text
- '{"authenticated": true, ...'
- >>> r.json()
- {'authenticated': True, ...}
- ```
-
- Requests allows you to send HTTP/1.1 requests extremely easily.
Thereâs no need to manually add query strings to your URLs, or to form-encode
your `PUT` & `POST` data â but nowadays, just use the `json` method!
-
- Requests is one of the most downloaded Python packages today, pulling
in around `30M downloads / week`â according to GitHub, Requests is currently
[depended
upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D)
by `1,000,000+` repositories. You may certainly put your trust in this code.
-
-
[](https://pepy.tech/project/requests)
- [](https://pypi.org/project/requests)
-
[](https://github.com/psf/requests/graphs/contributors)
-
- ## Installing Requests and Supported Versions
-
- Requests is available on PyPI:
-
- ```console
- $ python -m pip install requests
- ```
-
- Requests officially supports Python 3.7+.
-
- ## Supported Features & BestâPractices
-
- Requests is ready for the demands of building robust and reliable
HTTPâspeaking applications, for the needs of today.
-
- - Keep-Alive & Connection Pooling
- - International Domains and URLs
- - Sessions with Cookie Persistence
- - Browser-style TLS/SSL Verification
- - Basic & Digest Authentication
- - Familiar `dict`âlike Cookies
- - Automatic Content Decompression and Decoding
- - Multi-part File Uploads
- - SOCKS Proxy Support
- - Connection Timeouts
- - Streaming Downloads
- - Automatic honoring of `.netrc`
- - Chunked HTTP Requests
-
- ## API Reference and User Guide available on [Read the
Docs](https://requests.readthedocs.io)
-
- [](https://requests.readthedocs.io)
-
- ## Cloning the repository
-
- When cloning the Requests repository, you may need to add the `-c
- fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad
commit (see
- [this issue](https://github.com/psf/requests/issues/2690) for more
background):
-
- ```shell
- git clone -c fetch.fsck.badTimezone=ignore
https://github.com/psf/requests.git
- ```
-
- You can also apply this setting to your global Git config:
-
- ```shell
- git config --global fetch.fsck.badTimezone ignore
- ```
-
- ---
-
- [](https://kennethreitz.org)
[](https://www.python.org/psf)
-
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
@@ -111,3 +32,85 @@
Provides-Extra: security
Provides-Extra: socks
Provides-Extra: use_chardet_on_py3
+License-File: LICENSE
+
+# Requests
+
+**Requests** is a simple, yet elegant, HTTP library.
+
+```python
+>>> import requests
+>>> r = requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user',
'pass'))
+>>> r.status_code
+200
+>>> r.headers['content-type']
+'application/json; charset=utf8'
+>>> r.encoding
+'utf-8'
+>>> r.text
+'{"authenticated": true, ...'
+>>> r.json()
+{'authenticated': True, ...}
+```
+
+Requests allows you to send HTTP/1.1 requests extremely easily. Thereâs no
need to manually add query strings to your URLs, or to form-encode your `PUT` &
`POST` data â but nowadays, just use the `json` method!
+
+Requests is one of the most downloaded Python packages today, pulling in
around `30M downloads / week`â according to GitHub, Requests is currently
[depended
upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D)
by `1,000,000+` repositories. You may certainly put your trust in this code.
+
+[](https://pepy.tech/project/requests)
+[](https://pypi.org/project/requests)
+[](https://github.com/psf/requests/graphs/contributors)
+
+## Installing Requests and Supported Versions
+
+Requests is available on PyPI:
+
+```console
+$ python -m pip install requests
+```
+
+Requests officially supports Python 3.7+.
+
+## Supported Features & BestâPractices
+
+Requests is ready for the demands of building robust and reliable
HTTPâspeaking applications, for the needs of today.
+
+- Keep-Alive & Connection Pooling
+- International Domains and URLs
+- Sessions with Cookie Persistence
+- Browser-style TLS/SSL Verification
+- Basic & Digest Authentication
+- Familiar `dict`âlike Cookies
+- Automatic Content Decompression and Decoding
+- Multi-part File Uploads
+- SOCKS Proxy Support
+- Connection Timeouts
+- Streaming Downloads
+- Automatic honoring of `.netrc`
+- Chunked HTTP Requests
+
+## API Reference and User Guide available on [Read the
Docs](https://requests.readthedocs.io)
+
+[](https://requests.readthedocs.io)
+
+## Cloning the repository
+
+When cloning the Requests repository, you may need to add the `-c
+fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see
+[this issue](https://github.com/psf/requests/issues/2690) for more background):
+
+```shell
+git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git
+```
+
+You can also apply this setting to your global Git config:
+
+```shell
+git config --global fetch.fsck.badTimezone ignore
+```
+
+---
+
+[](https://kennethreitz.org)
[](https://www.python.org/psf)
+
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/requirements-dev.txt
new/requests-2.31.0/requirements-dev.txt
--- old/requests-2.30.0/requirements-dev.txt 2023-05-03 17:41:00.000000000
+0200
+++ new/requests-2.31.0/requirements-dev.txt 2023-05-22 17:08:07.000000000
+0200
@@ -1,7 +1,7 @@
-e .[socks]
pytest>=2.8.0,<=6.2.5
pytest-cov
-pytest-httpbin==1.0.0
+pytest-httpbin==2.0.0
pytest-mock==2.0.0
httpbin==0.7.0
trustme
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/setup.py new/requests-2.31.0/setup.py
--- old/requests-2.30.0/setup.py 2023-05-03 17:41:00.000000000 +0200
+++ new/requests-2.31.0/setup.py 2023-05-22 17:08:07.000000000 +0200
@@ -65,7 +65,7 @@
"certifi>=2017.4.17",
]
test_requirements = [
- "pytest-httpbin==0.0.7",
+ "pytest-httpbin==2.0.0",
"pytest-cov",
"pytest-mock",
"pytest-xdist",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/requests-2.30.0/tests/test_requests.py
new/requests-2.31.0/tests/test_requests.py
--- old/requests-2.30.0/tests/test_requests.py 2023-05-03 17:41:00.000000000
+0200
+++ new/requests-2.31.0/tests/test_requests.py 2023-05-22 17:11:02.000000000
+0200
@@ -647,6 +647,26 @@
assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
+
+ @pytest.mark.parametrize(
+ "url,has_proxy_auth",
+ (
+ ('http://example.com', True),
+ ('https://example.com', False),
+ ),
+ )
+ def test_proxy_authorization_not_appended_to_https_request(self, url,
has_proxy_auth):
+ session = requests.Session()
+ proxies = {
+ 'http': 'http://test:pass@localhost:8080',
+ 'https': 'http://test:pass@localhost:8090',
+ }
+ req = requests.Request('GET', url)
+ prep = req.prepare()
+ session.rebuild_proxies(prep, proxies)
+
+ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
+
def test_basicauth_with_netrc(self, httpbin):
auth = ("user", "pass")
wrong_auth = ("wronguser", "wrongpass")
