Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3 for openSUSE:Factory
checked in at 2023-07-06 18:28:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3.new.23466 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3"
Thu Jul 6 18:28:04 2023 rev:58 rq:1096959 version:2.0.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes
2023-05-19 11:55:54.831397896 +0200
+++ /work/SRC/openSUSE:Factory/.python-urllib3.new.23466/python-urllib3.changes
2023-07-06 18:28:09.206954409 +0200
@@ -1,0 +2,19 @@
+Wed Jul 5 11:42:20 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com>
+
+- Disable test_deprecated_no_scheme so it needs network connection to
+ run correctly.
+
+-------------------------------------------------------------------
+Mon Jun 19 20:26:34 UTC 2023 - Dirk Müller <dmuel...@suse.com>
+
+- update to 2.0.3:
+ * Allowed alternative SSL libraries such as LibreSSL, while
+ still issuing a warning as we cannot help users facing issues
+ with implementations other than OpenSSL.
+ * Deprecated URLs which don't have an explicit scheme
+ * Fixed response decoding with Zstandard when compressed data
+ is made of several frames.
+ * Fixed ``assert_hostname=False`` to correctly skip hostname
+ check.
+
+-------------------------------------------------------------------
Old:
----
urllib3-2.0.2.tar.gz
New:
----
urllib3-2.0.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3.spec ++++++
--- /var/tmp/diff_new_pack.K6IsmW/_old 2023-07-06 18:28:09.866958460 +0200
+++ /var/tmp/diff_new_pack.K6IsmW/_new 2023-07-06 18:28:09.874958509 +0200
@@ -26,7 +26,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-urllib3%{psuffix}
-Version: 2.0.2
+Version: 2.0.3
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
@@ -112,6 +112,8 @@
skiplist+=" or test_recent_date"
# too slow to run in obs (checks 2GiB of data)
skiplist+=" or test_requesting_large_resources_via_ssl"
+# Try to access external evil.com
+skiplist+=" or test_deprecated_no_scheme"
%pytest -k "not (${skiplist})" --ignore
test/with_dummyserver/test_socketlevel.py
%endif
++++++ urllib3-2.0.2.tar.gz -> urllib3-2.0.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/CHANGES.rst
new/urllib3-2.0.3/CHANGES.rst
--- old/urllib3-2.0.2/CHANGES.rst 2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/CHANGES.rst 2023-06-07 12:13:12.000000000 +0200
@@ -1,3 +1,12 @@
+2.0.3 (2023-06-07)
+==================
+
+- Allowed alternative SSL libraries such as LibreSSL, while still issuing a
warning as we cannot help users facing issues with implementations other than
OpenSSL. (`#3020 <https://github.com/urllib3/urllib3/issues/3020>`__)
+- Deprecated URLs which don't have an explicit scheme (`#2950
<https://github.com/urllib3/urllib3/pull/2950>`_)
+- Fixed response decoding with Zstandard when compressed data is made of
several frames. (`#3008 <https://github.com/urllib3/urllib3/issues/3008>`__)
+- Fixed ``assert_hostname=False`` to correctly skip hostname check. (`#3051
<https://github.com/urllib3/urllib3/issues/3051>`__)
+
+
2.0.2 (2023-05-03)
==================
@@ -137,6 +146,12 @@
* Fixed a socket leak if ``HTTPConnection.connect()`` fails (`#2571
<https://github.com/urllib3/urllib3/pull/2571>`__).
* Fixed ``urllib3.contrib.pyopenssl.WrappedSocket`` and
``urllib3.contrib.securetransport.WrappedSocket`` close methods (`#2970
<https://github.com/urllib3/urllib3/issues/2970>`__)
+1.26.16 (2023-05-23)
+====================
+
+* Fixed thread-safety issue where accessing a ``PoolManager`` with many
distinct origins
+ would cause connection pools to be closed while requests are in progress
(`#2954 <https://github.com/urllib3/urllib3/pull/2954>`_)
+
1.26.15 (2023-03-10)
====================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/LICENSE.txt
new/urllib3-2.0.3/LICENSE.txt
--- old/urllib3-2.0.2/LICENSE.txt 2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/LICENSE.txt 2023-06-07 12:13:12.000000000 +0200
@@ -1,6 +1,6 @@
MIT License
-Copyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)
+Copyright (c) 2008-2020 Andrey Petrov and contributors.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/PKG-INFO new/urllib3-2.0.3/PKG-INFO
--- old/urllib3-2.0.2/PKG-INFO 2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/PKG-INFO 2023-06-07 12:13:12.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 2.0.2
+Version: 2.0.3
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Project-URL: Changelog,
https://github.com/urllib3/urllib3/blob/main/CHANGES.rst
Project-URL: Documentation, https://urllib3.readthedocs.io
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/docs/conf.py
new/urllib3-2.0.3/docs/conf.py
--- old/urllib3-2.0.2/docs/conf.py 2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/docs/conf.py 2023-06-07 12:13:12.000000000 +0200
@@ -35,8 +35,16 @@
"sphinx_copybutton",
"sphinx.ext.doctest",
"sphinx.ext.intersphinx",
+ "sphinxext.opengraph",
]
+# Open Graph metadata
+ogp_title = "urllib3 documentation"
+ogp_site_url = "https://urllib3.readthedocs.io";
+ogp_type = "website"
+ogp_image =
"https://github.com/urllib3/urllib3/raw/main/docs/_static/banner_github.svg";
+ogp_description = "urllib3 is a user-friendly HTTP client library for Python."
+
# Test code blocks only when explicitly specified
doctest_test_doctest_blocks = ""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/docs/reference/urllib3.connection.rst
new/urllib3-2.0.3/docs/reference/urllib3.connection.rst
--- old/urllib3-2.0.2/docs/reference/urllib3.connection.rst 2023-05-04
00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/docs/reference/urllib3.connection.rst 2023-06-07
12:13:12.000000000 +0200
@@ -1,6 +1,8 @@
Connections
===========
+.. automodule:: urllib3.connection
+
.. autoclass:: urllib3.connection.HTTPConnection
:members:
:exclude-members: putrequest
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-2.0.2/docs/reference/urllib3.connectionpool.rst
new/urllib3-2.0.3/docs/reference/urllib3.connectionpool.rst
--- old/urllib3-2.0.2/docs/reference/urllib3.connectionpool.rst 2023-05-04
00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/docs/reference/urllib3.connectionpool.rst 2023-06-07
12:13:12.000000000 +0200
@@ -1,6 +1,8 @@
Connection Pools
================
+.. automodule:: urllib3.connectionpool
+
.. autoclass:: urllib3.HTTPConnectionPool
:members:
:undoc-members:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/docs/requirements.txt
new/urllib3-2.0.3/docs/requirements.txt
--- old/urllib3-2.0.2/docs/requirements.txt 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/docs/requirements.txt 2023-06-07 12:13:12.000000000
+0200
@@ -3,3 +3,4 @@
requests
furo
sphinx-copybutton
+sphinxext-opengraph
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/docs/v2-migration-guide.rst
new/urllib3-2.0.3/docs/v2-migration-guide.rst
--- old/urllib3-2.0.2/docs/v2-migration-guide.rst 2023-05-04
00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/docs/v2-migration-guide.rst 2023-06-07
12:13:12.000000000 +0200
@@ -51,6 +51,7 @@
- Deprecated the ``urllib3[secure]`` extra, will be removed in v2.1.0.
- Deprecated the ``HTTPResponse.getheaders()`` method in favor of
``HTTPResponse.headers``, will be removed in v2.1.0.
- Deprecated the ``HTTPResponse.getheader(name, default)`` method in favor of
``HTTPResponse.headers.get(name, default)``, will be removed in v2.1.0.
+- Deprecated URLs without a scheme (ie 'https://') and will be raising an
error in a future version of urllib3.
- Changed the default minimum TLS version to TLS 1.2 (previously was TLS 1.0).
- Removed support for verifying certificate hostnames via ``commonName``, now
only ``subjectAltName`` is used.
- Removed the default set of TLS ciphers, instead now urllib3 uses the list of
ciphers configured by the system.
@@ -152,11 +153,11 @@
# We only care about packages requiring urllib3
$ pipdeptree --reverse | grep "requires: urllib3"
- - botocore==1.29.8 [requires: urllib3>=1.25.4,<1.27]
- - requests==2.28.1 [requires: urllib3>=1.21.1,<1.27]
+ - botocore==1.29.8 [requires: urllib3>=1.25.4,<2]
+ - requests==2.28.1 [requires: urllib3>=1.21.1,<2]
Reading the output from above, there are two packages which depend on urllib3:
``botocore`` and ``requests``.
-The versions of these two packages both require urllib3 that is less than v2.0
(ie ``<1.27``).
+The versions of these two packages both require urllib3 that is less than v2.0
(ie ``<2``).
Because both of these packages require urllib3 before v2.0 the new version of
urllib3 can't be installed
by default. There are ways to force installing the newer version of urllib3
v2.0 (ie pinning to ``urllib3==2.0.0``)
@@ -179,6 +180,89 @@
If your organization relies on urllib3 and is interested in continuing support
you can learn
more about the `Tidelift Subscription for Enterprise
<https://tidelift.com/subscription/pkg/pypi-urllib3?utm_source=pypi-urllib3&utm_medium=referral&utm_campaign=docs>`_.
+**ð¤ Common upgrading issues**
+-------------------------------
+
+ssl module is compiled with OpenSSL 1.0.2.k-fips
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. code-block:: text
+
+ ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl'
module is compiled with 'OpenSSL 1.0.2k-fips 26 Jan 2017'.
+ See: https://github.com/urllib3/urllib3/issues/2168
+
+Remediation depends on your system:
+
+- **AWS Lambda**: Upgrade to the Python3.10 runtime as it uses OpenSSL 1.1.1.
Alternatively, you can
+ use a `custom Docker image
+
<https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/>`_
and ensure you
+ use a Python build that uses OpenSSL 1.1.1 or later.
+- **Amazon Linux 2**: Upgrade to `Amazon Linux 2023
+ <https://aws.amazon.com/linux/amazon-linux-2023/>`_. Alternatively, you can
install OpenSSL 1.1.1
+ on Amazon Linux 2 using ``yum install openssl11 openssl11-devel`` and then
install Python with a
+ tool like pyenv.
+- **Red Hat Enterpritse Linux 7 (RHEL 7)**: Upgrade to RHEL 8 or RHEL 9.
+- **Read the Docs**: Upgrade your `configuration file to use Ubuntu 22.04
+ <https://docs.readthedocs.io/en/stable/config-file/v2.html>`_ by using ``os:
ubuntu-22.04`` in the
+ ``build`` section. Feel free to use the `urllib3 configuration
+ <https://github.com/urllib3/urllib3/blob/2.0.0/.readthedocs.yml>`_ as an
inspiration.
+
+docker.errors.dockerexception: error while fetching server api version:
request() got an unexpected keyword argument 'chunked'
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Upgrade to ``docker==6.1.0`` that is compatible with urllib3 2.0.
+
+ImportError: cannot import name 'gaecontrib' from 'requests_toolbelt._compat'
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To be compatible with urllib3 2.0, Requests Toolbelt released version 1.0.0
without Google App
+Engine Standard Python 2.7 support. Most users that reported this issue were
using the `Pyrebase
+<https://github.com/thisbejim/Pyrebase>`_ library that provides an API for the
Firebase API. This
+library is unmaintained, but `replacements exist
+<https://github.com/thisbejim/Pyrebase/issues/435>`_.
+
+``ImportError: cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_'``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This likely happens because you're using botocore which `does not support
urllib3 2.0 yet
+<https://github.com/boto/botocore/issues/2921>`_. The good news is that
botocore explicitly declares
+in its dependencies that it only supports ``urllib3<2``. Make sure to use a
recent pip. That way, pip
+will install urllib3 1.26.x until botocore starts supporting urllib3 2.0.
+
+If you're deploying to an AWS environment such as Lambda or a host using
Amazon Linux 2,
+you'll need to explicitly pin to ``urllib3<2`` in your project to ensure
urllib3 2.0 isn't
+brought into your environment. Otherwise, this may result in unintended side
effects with
+the default boto3 installation.
+
+AttributeError: module 'urllib3.connectionpool' has no attribute
'VerifiedHTTPSConnection'
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``VerifiedHTTPSConnection`` class has always been documented to be in the
+:mod:`~urllib3.connection` module. It used to be possible to import it from
+:mod:`~urllib3.connectionpool` but that was acccidental and is no longer
possible due to a
+refactoring in urllib3 2.0.
+
+Note that the new name of this class is
:class:`~urllib3.connection.HTTPSConnection`. It can be used
+starting from urllib3 1.25.9.
+
+AttributeError: 'HTTPResponse' object has no attribute 'strict'
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``strict`` parameter is unneeded with Python 3 and should be removed.
+
+Pinning urllib3<2
+~~~~~~~~~~~~~~~~~
+
+If the advice from the above sections did not help, you can pin urllib3 to
1.26.x by installing
+``urllib3<2``. Please do **not** specify ``urllib3==1.26.15`` to make sure you
continue getting
+1.26.x updates!
+
+While urllib3 1.26.x is still supported, it won't get new features or bug
fixes, just security
+updates. Consider opening a tracking issue to unpin urllib3 in the future to
not stay on 1.26.x
+indefinitely. For more details on the recommended way to handle your
dependencies in general, see
+`Semantic Versioning Will Not Save You
<https://hynek.me/articles/semver-will-not-save-you/>`_. The
+second half even uses urllib3 2.0 as an example!
+
**ðª User-friendly features**
-----------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/dummyserver/handlers.py
new/urllib3-2.0.3/dummyserver/handlers.py
--- old/urllib3-2.0.2/dummyserver/handlers.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/dummyserver/handlers.py 2023-06-07 12:13:12.000000000
+0200
@@ -8,7 +8,7 @@
import sys
import typing
import zlib
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
from http.client import responses
from io import BytesIO
from urllib.parse import urlsplit
@@ -344,7 +344,9 @@
date = params.get("date")
if date:
retry_after = str(
-
httputil.format_timestamp(datetime.utcfromtimestamp(float(date)))
+ httputil.format_timestamp(
+ datetime.fromtimestamp(float(date), tz=timezone.utc)
+ )
)
else:
retry_after = "1"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/dummyserver/proxy.py
new/urllib3-2.0.3/dummyserver/proxy.py
--- old/urllib3-2.0.2/dummyserver/proxy.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/dummyserver/proxy.py 2023-06-07 12:13:12.000000000
+0200
@@ -45,29 +45,6 @@
SUPPORTED_METHODS = ["GET", "POST", "CONNECT"] # type: ignore[assignment]
async def get(self) -> None:
- async def handle_response(response: tornado.httpclient.HTTPResponse)
-> None:
- if response.error and not isinstance(
- response.error, tornado.httpclient.HTTPError
- ):
- self.set_status(500)
- self.write("Internal server error:\n" + str(response.error))
- await self.finish()
- else:
- self.set_status(response.code)
- for header in (
- "Date",
- "Cache-Control",
- "Server",
- "Content-Type",
- "Location",
- ):
- v = response.headers.get(header)
- if v:
- self.set_header(header, v)
- if response.body:
- self.write(response.body)
- await self.finish()
-
upstream_ca_certs = self.application.settings.get("upstream_ca_certs",
None)
ssl_options = None
@@ -87,16 +64,21 @@
)
client = tornado.httpclient.AsyncHTTPClient()
- try:
- response = await client.fetch(req)
- await handle_response(response)
- except tornado.httpclient.HTTPError as e:
- if hasattr(e, "response") and e.response:
- await handle_response(e.response)
- else:
- self.set_status(500)
- self.write("Internal server error:\n" + str(e))
- self.finish()
+ response = await client.fetch(req, raise_error=False)
+ self.set_status(response.code)
+ for header in (
+ "Date",
+ "Cache-Control",
+ "Server",
+ "Content-Type",
+ "Location",
+ ):
+ v = response.headers.get(header)
+ if v:
+ self.set_header(header, v)
+ if response.body:
+ self.write(response.body)
+ await self.finish()
async def post(self) -> None:
await self.get()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/pyproject.toml
new/urllib3-2.0.3/pyproject.toml
--- old/urllib3-2.0.2/pyproject.toml 2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/pyproject.toml 2023-06-07 12:13:12.000000000 +0200
@@ -85,6 +85,7 @@
log_level = "DEBUG"
filterwarnings = [
"error",
+ '''default:urllib3 v2.0 only supports OpenSSL 1.1.1+.*''',
'''default:'urllib3\[secure\]' extra is deprecated and will be removed in
urllib3 v2\.1\.0.*:DeprecationWarning''',
'''default:'urllib3\.contrib\.pyopenssl' module is deprecated and will be
removed in urllib3 v2\.1\.0.*:DeprecationWarning''',
'''default:'urllib3\.contrib\.securetransport' module is deprecated and
will be removed in urllib3 v2\.1\.0.*:DeprecationWarning''',
@@ -98,6 +99,11 @@
'''default:ssl\.PROTOCOL_TLSv1_2 is deprecated:DeprecationWarning''',
'''default:unclosed .*:ResourceWarning''',
'''default:ssl NPN is deprecated, use ALPN instead:DeprecationWarning''',
+ # https://github.com/pytest-dev/pytest/issues/10977
+ '''default:ast\.(Num|NameConstant|Str) is deprecated and will be removed
in Python 3\.14; use ast\.Constant instead:DeprecationWarning:_pytest''',
+ '''default:Attribute s is deprecated and will be removed in Python 3\.14;
use value instead:DeprecationWarning:_pytest''',
+ # https://github.com/dateutil/dateutil/issues/1284
+ '''default:datetime\.utcfromtimestamp\(\) is deprecated and scheduled for
removal in a future version\.*:DeprecationWarning:dateutil''',
]
[tool.isort]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/__init__.py
new/urllib3-2.0.3/src/urllib3/__init__.py
--- old/urllib3-2.0.2/src/urllib3/__init__.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/__init__.py 2023-06-07 12:13:12.000000000
+0200
@@ -30,17 +30,19 @@
except ImportError:
pass
else:
- # fmt: off
- if (
- not ssl.OPENSSL_VERSION.startswith("OpenSSL ")
- or ssl.OPENSSL_VERSION_INFO < (1, 1, 1)
- ): # Defensive:
+ if not ssl.OPENSSL_VERSION.startswith("OpenSSL "): # Defensive:
+ warnings.warn(
+ "urllib3 v2.0 only supports OpenSSL 1.1.1+, currently "
+ f"the 'ssl' module is compiled with {ssl.OPENSSL_VERSION!r}. "
+ "See: https://github.com/urllib3/urllib3/issues/3020";,
+ exceptions.NotOpenSSLWarning,
+ )
+ elif ssl.OPENSSL_VERSION_INFO < (1, 1, 1): # Defensive:
raise ImportError(
"urllib3 v2.0 only supports OpenSSL 1.1.1+, currently "
- f"the 'ssl' module is compiled with {ssl.OPENSSL_VERSION}. "
+ f"the 'ssl' module is compiled with {ssl.OPENSSL_VERSION!r}. "
"See: https://github.com/urllib3/urllib3/issues/2168";
)
- # fmt: on
# === NOTE TO REPACKAGERS AND VENDORS ===
# Please delete this block, this logic is only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/_version.py
new/urllib3-2.0.3/src/urllib3/_version.py
--- old/urllib3-2.0.2/src/urllib3/_version.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/_version.py 2023-06-07 12:13:12.000000000
+0200
@@ -1,4 +1,4 @@
# This file is protected via CODEOWNERS
from __future__ import annotations
-__version__ = "2.0.2"
+__version__ = "2.0.3"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/connection.py
new/urllib3-2.0.3/src/urllib3/connection.py
--- old/urllib3-2.0.2/src/urllib3/connection.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/connection.py 2023-06-07 12:13:12.000000000
+0200
@@ -741,6 +741,8 @@
# `ssl` can't verify fingerprints or alternate hostnames
assert_fingerprint
or assert_hostname
+ # assert_hostname can be set to False to disable hostname checking
+ or assert_hostname is False
# We still support OpenSSL 1.0.2, which prevents us from verifying
# hostnames easily: https://github.com/pyca/pyopenssl/pull/933
or ssl_.IS_PYOPENSSL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/exceptions.py
new/urllib3-2.0.3/src/urllib3/exceptions.py
--- old/urllib3-2.0.2/src/urllib3/exceptions.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/exceptions.py 2023-06-07 12:13:12.000000000
+0200
@@ -214,6 +214,10 @@
"""Warned when making an unverified HTTPS request."""
+class NotOpenSSLWarning(SecurityWarning):
+ """Warned when using unsupported SSL library"""
+
+
class SystemTimeWarning(SecurityWarning):
"""Warned when system time is suspected to be wrong"""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/poolmanager.py
new/urllib3-2.0.3/src/urllib3/poolmanager.py
--- old/urllib3-2.0.2/src/urllib3/poolmanager.py 2023-05-04
00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/src/urllib3/poolmanager.py 2023-06-07
12:13:12.000000000 +0200
@@ -419,6 +419,16 @@
"""
u = parse_url(url)
+ if u.scheme is None:
+ warnings.warn(
+ "URLs without a scheme (ie 'https://') are deprecated and will
raise an error "
+ "in a future version of urllib3. To avoid this
DeprecationWarning ensure all URLs "
+ "start with 'https://' or 'http://'. Read more in this issue: "
+ "https://github.com/urllib3/urllib3/issues/2920";,
+ category=DeprecationWarning,
+ stacklevel=2,
+ )
+
conn = self.connection_from_host(u.host, port=u.port, scheme=u.scheme)
kw["assert_same_host"] = False
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/response.py
new/urllib3-2.0.3/src/urllib3/response.py
--- old/urllib3-2.0.2/src/urllib3/response.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/response.py 2023-06-07 12:13:12.000000000
+0200
@@ -169,10 +169,15 @@
def decompress(self, data: bytes) -> bytes:
if not data:
return b""
- return self._obj.decompress(data) # type: ignore[no-any-return]
+ data_parts = [self._obj.decompress(data)]
+ while self._obj.eof and self._obj.unused_data:
+ unused_data = self._obj.unused_data
+ self._obj = zstd.ZstdDecompressor().decompressobj()
+ data_parts.append(self._obj.decompress(unused_data))
+ return b"".join(data_parts)
def flush(self) -> bytes:
- ret = self._obj.flush()
+ ret = self._obj.flush() # note: this is a no-op
if not self._obj.eof:
raise DecodeError("Zstandard data is incomplete")
return ret # type: ignore[no-any-return]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/util/retry.py
new/urllib3-2.0.3/src/urllib3/util/retry.py
--- old/urllib3-2.0.2/src/urllib3/util/retry.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/util/retry.py 2023-06-07 12:13:12.000000000
+0200
@@ -143,7 +143,7 @@
(most errors are resolved immediately by a second try without a
delay). urllib3 will sleep for::
- {backoff factor} * (2 ** ({number of total retries} - 1))
+ {backoff factor} * (2 ** ({number of previous retries}))
seconds. If `backoff_jitter` is non-zero, this sleep is extended by::
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/src/urllib3/util/ssl_.py
new/urllib3-2.0.3/src/urllib3/util/ssl_.py
--- old/urllib3-2.0.2/src/urllib3/util/ssl_.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/src/urllib3/util/ssl_.py 2023-06-07 12:13:12.000000000
+0200
@@ -55,18 +55,23 @@
def _is_has_never_check_common_name_reliable(
+ openssl_version: str,
openssl_version_number: int,
implementation_name: str,
version_info: _TYPE_VERSION_INFO,
) -> bool:
+ # As of May 2023, all released versions of LibreSSL fail to reject
certificates with
+ # only common names, see https://github.com/urllib3/urllib3/pull/3024
+ is_openssl = openssl_version.startswith("OpenSSL ")
# Before fixing OpenSSL issue #14579, the SSL_new() API was not copying
hostflags
# like X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, which tripped up CPython.
# https://github.com/openssl/openssl/issues/14579
# This was released in OpenSSL 1.1.1l+ (>=0x101010cf)
is_openssl_issue_14579_fixed = openssl_version_number >= 0x101010CF
- return is_openssl_issue_14579_fixed or _is_bpo_43522_fixed(
- implementation_name, version_info
+ return is_openssl and (
+ is_openssl_issue_14579_fixed
+ or _is_bpo_43522_fixed(implementation_name, version_info)
)
@@ -93,6 +98,7 @@
HAS_NEVER_CHECK_COMMON_NAME,
OP_NO_COMPRESSION,
OP_NO_TICKET,
+ OPENSSL_VERSION,
OPENSSL_VERSION_NUMBER,
PROTOCOL_TLS,
PROTOCOL_TLS_CLIENT,
@@ -107,6 +113,7 @@
# Setting SSLContext.hostname_checks_common_name = False didn't work
before CPython
# 3.8.9, 3.9.3, and 3.10 (but OK on PyPy) or OpenSSL 1.1.1l+
if HAS_NEVER_CHECK_COMMON_NAME and not
_is_has_never_check_common_name_reliable(
+ OPENSSL_VERSION,
OPENSSL_VERSION_NUMBER,
sys.implementation.name,
sys.version_info,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/test/test_poolmanager.py
new/urllib3-2.0.3/test/test_poolmanager.py
--- old/urllib3-2.0.2/test/test_poolmanager.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/test/test_poolmanager.py 2023-06-07 12:13:12.000000000
+0200
@@ -259,6 +259,23 @@
assert pool is other_pool
assert all(isinstance(key, PoolKey) for key in p.pools.keys())
+ def test_deprecated_no_scheme(self) -> None:
+ p = PoolManager()
+
+ with pytest.warns(DeprecationWarning) as records:
+ p.request(method="GET", url="evil.com://good.com")
+
+ msg = (
+ "URLs without a scheme (ie 'https://') are deprecated and will
raise an error "
+ "in a future version of urllib3. To avoid this DeprecationWarning
ensure all URLs "
+ "start with 'https://' or 'http://'. Read more in this issue: "
+ "https://github.com/urllib3/urllib3/issues/2920";
+ )
+
+ assert len(records) == 1
+ assert isinstance(records[0].message, DeprecationWarning)
+ assert records[0].message.args[0] == msg
+
@patch("urllib3.poolmanager.PoolManager.connection_from_pool_key")
def test_connection_from_context_strict_param(
self, connection_from_pool_key: mock.MagicMock
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/test/test_response.py
new/urllib3-2.0.3/test/test_response.py
--- old/urllib3-2.0.2/test/test_response.py 2023-05-04 00:26:56.000000000
+0200
+++ new/urllib3-2.0.3/test/test_response.py 2023-06-07 12:13:12.000000000
+0200
@@ -333,6 +333,25 @@
assert r.data == b"foo"
@onlyZstd()
+ def test_decode_multiframe_zstd(self) -> None:
+ data = (
+ # Zstandard frame
+ zstd.compress(b"foo")
+ # skippable frame (must be ignored)
+ + bytes.fromhex(
+ "50 2A 4D 18" # Magic_Number (little-endian)
+ "07 00 00 00" # Frame_Size (little-endian)
+ "00 00 00 00 00 00 00" # User_Data
+ )
+ # Zstandard frame
+ + zstd.compress(b"bar")
+ )
+
+ fp = BytesIO(data)
+ r = HTTPResponse(fp, headers={"content-encoding": "zstd"})
+ assert r.data == b"foobar"
+
+ @onlyZstd()
def test_chunked_decoding_zstd(self) -> None:
data = zstd.compress(b"foobarbaz")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/test/test_util.py
new/urllib3-2.0.3/test/test_util.py
--- old/urllib3-2.0.2/test/test_util.py 2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/test/test_util.py 2023-06-07 12:13:12.000000000 +0200
@@ -1068,21 +1068,24 @@
warn.assert_not_called()
@pytest.mark.parametrize(
- "openssl_version_number, implementation_name, version_info, reliable",
+ "openssl_version, openssl_version_number, implementation_name,
version_info, reliable",
[
# OpenSSL and Python OK -> reliable
- (0x101010CF, "cpython", (3, 9, 3), True),
+ ("OpenSSL 1.1.1", 0x101010CF, "cpython", (3, 9, 3), True),
# Python OK -> reliable
- (0x10101000, "cpython", (3, 9, 3), True),
- (0x10101000, "pypy", (3, 6, 9), False),
+ ("OpenSSL 1.1.1", 0x10101000, "cpython", (3, 9, 3), True),
+ ("OpenSSL 1.1.1", 0x10101000, "pypy", (3, 6, 9), False),
# OpenSSL OK -> reliable
- (0x101010CF, "cpython", (3, 9, 2), True),
- # unreliable
- (0x10101000, "cpython", (3, 9, 2), False),
+ ("OpenSSL 1.1.1", 0x101010CF, "cpython", (3, 9, 2), True),
+ # not OpenSSSL -> unreliable
+ ("LibreSSL 2.8.3", 0x101010CF, "cpython", (3, 10, 0), False),
+ # old OpenSSL and old Python, unreliable
+ ("OpenSSL 1.1.0", 0x10101000, "cpython", (3, 9, 2), False),
],
)
def test_is_has_never_check_common_name_reliable(
self,
+ openssl_version: str,
openssl_version_number: int,
implementation_name: str,
version_info: _TYPE_VERSION_INFO,
@@ -1090,6 +1093,7 @@
) -> None:
assert (
_is_has_never_check_common_name_reliable(
+ openssl_version,
openssl_version_number,
implementation_name,
version_info,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-2.0.2/test/with_dummyserver/test_connectionpool.py
new/urllib3-2.0.3/test/with_dummyserver/test_connectionpool.py
--- old/urllib3-2.0.2/test/with_dummyserver/test_connectionpool.py
2023-05-04 00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/test/with_dummyserver/test_connectionpool.py
2023-06-07 12:13:12.000000000 +0200
@@ -465,6 +465,12 @@
finally:
conn.close()
+ def test_redirect_relative_url_no_deprecation(self) -> None:
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ with warnings.catch_warnings():
+ warnings.simplefilter("error", DeprecationWarning)
+ pool.request("GET", "/redirect", fields={"target": "/"})
+
def test_redirect(self) -> None:
with HTTPConnectionPool(self.host, self.port) as pool:
r = pool.request("GET", "/redirect", fields={"target": "/"},
redirect=False)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.2/test/with_dummyserver/test_https.py
new/urllib3-2.0.3/test/with_dummyserver/test_https.py
--- old/urllib3-2.0.2/test/with_dummyserver/test_https.py 2023-05-04
00:26:56.000000000 +0200
+++ new/urllib3-2.0.3/test/with_dummyserver/test_https.py 2023-06-07
12:13:12.000000000 +0200
@@ -1117,6 +1117,32 @@
err.reason.args[0], (ssl.SSLCertVerificationError,
CertificateError)
)
+ def test_assert_hostname_invalid_san(
+ self, no_localhost_san_server: ServerConfig
+ ) -> None:
+ """Ensure SAN errors are not raised while assert_hostname is false"""
+ with HTTPSConnectionPool(
+ no_localhost_san_server.host,
+ no_localhost_san_server.port,
+ cert_reqs="CERT_REQUIRED",
+ ca_certs=no_localhost_san_server.ca_certs,
+ assert_hostname=False,
+ ) as https_pool:
+ https_pool.request("GET", "/")
+
+ def test_assert_hostname_invalid_cn(
+ self, no_san_server_with_different_commmon_name: ServerConfig
+ ) -> None:
+ """Ensure CN errors are not raised while assert_hostname is false"""
+ with HTTPSConnectionPool(
+ no_san_server_with_different_commmon_name.host,
+ no_san_server_with_different_commmon_name.port,
+ cert_reqs="CERT_REQUIRED",
+ ca_certs=no_san_server_with_different_commmon_name.ca_certs,
+ assert_hostname=False,
+ ) as https_pool:
+ https_pool.request("GET", "/")
+
class TestHTTPS_IPV4SAN:
def test_can_validate_ip_san(self, ipv4_san_server: ServerConfig) -> None:
![https://github.com/urllib3/urllib3/raw/main/docs/_static/banner_github.svg"](https://github.com/urllib3/urllib3/raw/main/docs/_static/banner_github.svg"){kind=link}