Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3_1 for
openSUSE:Factory checked in at 2023-10-06 21:12:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3_1 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3_1.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3_1"
Fri Oct 6 21:12:44 2023 rev:5 rq:1115891 version:1.26.17
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3_1/python-urllib3_1.changes
2023-09-07 21:13:54.999826921 +0200
+++
/work/SRC/openSUSE:Factory/.python-urllib3_1.new.28202/python-urllib3_1.changes
2023-10-06 21:13:19.257422335 +0200
@@ -1,0 +2,8 @@
+Thu Oct 5 15:35:21 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com>
+
+- update to 1.26.17 (bsc#1215968, CVE-2023-43804):
+ * Added the Cookie header to the list of headers to strip from
+ * requests when redirecting to a different host. As before,
+ * different headers can be set via Retry.remove_headers_on_redirect.
+
+-------------------------------------------------------------------
Old:
----
urllib3-1.26.16.tar.gz
New:
----
urllib3-1.26.17.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3_1.spec ++++++
--- /var/tmp/diff_new_pack.VjkO0c/_old 2023-10-06 21:13:20.377462799 +0200
+++ /var/tmp/diff_new_pack.VjkO0c/_new 2023-10-06 21:13:20.381462944 +0200
@@ -26,7 +26,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-urllib3_1%{psuffix}
-Version: 1.26.16
+Version: 1.26.17
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
++++++ urllib3-1.26.16.tar.gz -> urllib3-1.26.17.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/CHANGES.rst
new/urllib3-1.26.17/CHANGES.rst
--- old/urllib3-1.26.16/CHANGES.rst 2023-05-23 12:51:05.000000000 +0200
+++ new/urllib3-1.26.17/CHANGES.rst 2023-10-02 19:18:24.000000000 +0200
@@ -1,6 +1,12 @@
Changes
=======
+1.26.17 (2023-10-02)
+--------------------
+
+* Added the ``Cookie`` header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can be set
via ``Retry.remove_headers_on_redirect``.
+
+
1.26.16 (2023-05-23)
--------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/PKG-INFO new/urllib3-1.26.17/PKG-INFO
--- old/urllib3-1.26.16/PKG-INFO 2023-05-23 12:51:13.747491400 +0200
+++ new/urllib3-1.26.17/PKG-INFO 2023-10-02 19:18:33.111136000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.16
+Version: 1.26.17
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -30,10 +30,21 @@
Classifier: Topic :: Software Development :: Libraries
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*
Description-Content-Type: text/x-rst
+License-File: LICENSE.txt
Provides-Extra: brotli
+Requires-Dist: brotli==1.0.9; (os_name != "nt" and python_version < "3" and
platform_python_implementation == "CPython") and extra == "brotli"
+Requires-Dist: brotli>=1.0.9; (python_version >= "3" and
platform_python_implementation == "CPython") and extra == "brotli"
+Requires-Dist: brotlicffi>=0.8.0; ((os_name != "nt" or python_version >= "3")
and platform_python_implementation != "CPython") and extra == "brotli"
+Requires-Dist: brotlipy>=0.6.0; (os_name == "nt" and python_version < "3") and
extra == "brotli"
Provides-Extra: secure
+Requires-Dist: pyOpenSSL>=0.14; extra == "secure"
+Requires-Dist: cryptography>=1.3.4; extra == "secure"
+Requires-Dist: idna>=2.0.0; extra == "secure"
+Requires-Dist: certifi; extra == "secure"
+Requires-Dist: ipaddress; python_version == "2.7" and extra == "secure"
+Requires-Dist: urllib3-secure-extra; extra == "secure"
Provides-Extra: socks
-License-File: LICENSE.txt
+Requires-Dist: PySocks!=1.5.7,<2.0,>=1.5.6; extra == "socks"
urllib3 is a powerful, *user-friendly* HTTP client for Python. Much of the
@@ -144,6 +155,12 @@
Changes
=======
+1.26.17 (2023-10-02)
+--------------------
+
+* Added the ``Cookie`` header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can be set
via ``Retry.remove_headers_on_redirect``.
+
+
1.26.16 (2023-05-23)
--------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/docs/requirements.txt
new/urllib3-1.26.17/docs/requirements.txt
--- old/urllib3-1.26.16/docs/requirements.txt 2023-05-23 12:51:05.000000000
+0200
+++ new/urllib3-1.26.17/docs/requirements.txt 2023-10-02 19:18:24.000000000
+0200
@@ -1,4 +1,4 @@
-r ../dev-requirements.txt
sphinx>3.0.0
-requests>=2,<2.16
+requests>=2
furo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/setup.py new/urllib3-1.26.17/setup.py
--- old/urllib3-1.26.16/setup.py 2023-05-23 12:51:05.000000000 +0200
+++ new/urllib3-1.26.17/setup.py 2023-10-02 19:18:24.000000000 +0200
@@ -85,7 +85,9 @@
python_requires=">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*,
!=3.5.*",
extras_require={
"brotli": [
- "brotli>=1.0.9; (os_name != 'nt' or python_version >= '3') and
platform_python_implementation == 'CPython'",
+ # https://github.com/google/brotli/issues/1074
+ "brotli==1.0.9; os_name != 'nt' and python_version < '3' and
platform_python_implementation == 'CPython'",
+ "brotli>=1.0.9; python_version >= '3' and
platform_python_implementation == 'CPython'",
"brotlicffi>=0.8.0; (os_name != 'nt' or python_version >= '3') and
platform_python_implementation != 'CPython'",
"brotlipy>=0.6.0; os_name == 'nt' and python_version < '3'",
],
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/src/urllib3/_version.py
new/urllib3-1.26.17/src/urllib3/_version.py
--- old/urllib3-1.26.16/src/urllib3/_version.py 2023-05-23 12:51:05.000000000
+0200
+++ new/urllib3-1.26.17/src/urllib3/_version.py 2023-10-02 19:18:24.000000000
+0200
@@ -1,2 +1,2 @@
# This file is protected via CODEOWNERS
-__version__ = "1.26.16"
+__version__ = "1.26.17"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/src/urllib3/request.py
new/urllib3-1.26.17/src/urllib3/request.py
--- old/urllib3-1.26.16/src/urllib3/request.py 2023-05-23 12:51:05.000000000
+0200
+++ new/urllib3-1.26.17/src/urllib3/request.py 2023-10-02 19:18:24.000000000
+0200
@@ -1,6 +1,9 @@
from __future__ import absolute_import
+import sys
+
from .filepost import encode_multipart_formdata
+from .packages import six
from .packages.six.moves.urllib.parse import urlencode
__all__ = ["RequestMethods"]
@@ -168,3 +171,21 @@
extra_kw.update(urlopen_kw)
return self.urlopen(method, url, **extra_kw)
+
+
+if not six.PY2:
+
+ class RequestModule(sys.modules[__name__].__class__):
+ def __call__(self, *args, **kwargs):
+ """
+ If user tries to call this module directly urllib3 v2.x style
raise an error to the user
+ suggesting they may need urllib3 v2
+ """
+ raise TypeError(
+ "'module' object is not callable\n"
+ "urllib3.request() method is not supported in this release, "
+ "upgrade to urllib3 v2 to use it\n"
+ "see
https://urllib3.readthedocs.io/en/stable/v2-migration-guide.html";
+ )
+
+ sys.modules[__name__].__class__ = RequestModule
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/src/urllib3/util/retry.py
new/urllib3-1.26.17/src/urllib3/util/retry.py
--- old/urllib3-1.26.16/src/urllib3/util/retry.py 2023-05-23
12:51:05.000000000 +0200
+++ new/urllib3-1.26.17/src/urllib3/util/retry.py 2023-10-02
19:18:24.000000000 +0200
@@ -235,7 +235,7 @@
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/src/urllib3.egg-info/PKG-INFO
new/urllib3-1.26.17/src/urllib3.egg-info/PKG-INFO
--- old/urllib3-1.26.16/src/urllib3.egg-info/PKG-INFO 2023-05-23
12:51:13.000000000 +0200
+++ new/urllib3-1.26.17/src/urllib3.egg-info/PKG-INFO 2023-10-02
19:18:33.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.16
+Version: 1.26.17
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -30,10 +30,21 @@
Classifier: Topic :: Software Development :: Libraries
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*
Description-Content-Type: text/x-rst
+License-File: LICENSE.txt
Provides-Extra: brotli
+Requires-Dist: brotli==1.0.9; (os_name != "nt" and python_version < "3" and
platform_python_implementation == "CPython") and extra == "brotli"
+Requires-Dist: brotli>=1.0.9; (python_version >= "3" and
platform_python_implementation == "CPython") and extra == "brotli"
+Requires-Dist: brotlicffi>=0.8.0; ((os_name != "nt" or python_version >= "3")
and platform_python_implementation != "CPython") and extra == "brotli"
+Requires-Dist: brotlipy>=0.6.0; (os_name == "nt" and python_version < "3") and
extra == "brotli"
Provides-Extra: secure
+Requires-Dist: pyOpenSSL>=0.14; extra == "secure"
+Requires-Dist: cryptography>=1.3.4; extra == "secure"
+Requires-Dist: idna>=2.0.0; extra == "secure"
+Requires-Dist: certifi; extra == "secure"
+Requires-Dist: ipaddress; python_version == "2.7" and extra == "secure"
+Requires-Dist: urllib3-secure-extra; extra == "secure"
Provides-Extra: socks
-License-File: LICENSE.txt
+Requires-Dist: PySocks!=1.5.7,<2.0,>=1.5.6; extra == "socks"
urllib3 is a powerful, *user-friendly* HTTP client for Python. Much of the
@@ -144,6 +155,12 @@
Changes
=======
+1.26.17 (2023-10-02)
+--------------------
+
+* Added the ``Cookie`` header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can be set
via ``Retry.remove_headers_on_redirect``.
+
+
1.26.16 (2023-05-23)
--------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/src/urllib3.egg-info/SOURCES.txt
new/urllib3-1.26.17/src/urllib3.egg-info/SOURCES.txt
--- old/urllib3-1.26.16/src/urllib3.egg-info/SOURCES.txt 2023-05-23
12:51:13.000000000 +0200
+++ new/urllib3-1.26.17/src/urllib3.egg-info/SOURCES.txt 2023-10-02
19:18:33.000000000 +0200
@@ -107,6 +107,7 @@
test/test_poolmanager.py
test/test_proxymanager.py
test/test_queue_monkeypatch.py
+test/test_request.py
test/test_response.py
test/test_retry.py
test/test_retry_deprecated.py
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/src/urllib3.egg-info/requires.txt
new/urllib3-1.26.17/src/urllib3.egg-info/requires.txt
--- old/urllib3-1.26.16/src/urllib3.egg-info/requires.txt 2023-05-23
12:51:13.000000000 +0200
+++ new/urllib3-1.26.17/src/urllib3.egg-info/requires.txt 2023-10-02
19:18:33.000000000 +0200
@@ -4,12 +4,15 @@
[brotli:(os_name != "nt" or python_version >= "3") and
platform_python_implementation != "CPython"]
brotlicffi>=0.8.0
-[brotli:(os_name != "nt" or python_version >= "3") and
platform_python_implementation == "CPython"]
-brotli>=1.0.9
+[brotli:os_name != "nt" and python_version < "3" and
platform_python_implementation == "CPython"]
+brotli==1.0.9
[brotli:os_name == "nt" and python_version < "3"]
brotlipy>=0.6.0
+[brotli:python_version >= "3" and platform_python_implementation == "CPython"]
+brotli>=1.0.9
+
[secure]
pyOpenSSL>=0.14
cryptography>=1.3.4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/test/test_request.py
new/urllib3-1.26.17/test/test_request.py
--- old/urllib3-1.26.16/test/test_request.py 1970-01-01 01:00:00.000000000
+0100
+++ new/urllib3-1.26.17/test/test_request.py 2023-10-02 19:18:24.000000000
+0200
@@ -0,0 +1,26 @@
+import types
+
+import pytest
+
+import urllib3
+from urllib3.packages import six
+
+
+@pytest.mark.skipif(
+ six.PY2,
+ reason="This behaviour isn't added when running urllib3 in Python 2",
+)
+class TestRequestImport(object):
+ def test_request_import_error(self):
+ """Ensure an appropriate error is raised to the user
+ if they try and run urllib3.request()"""
+ with pytest.raises(TypeError) as exc_info:
+ urllib3.request(1, a=2)
+ assert "urllib3 v2" in exc_info.value.args[0]
+
+ def test_request_module_properties(self):
+ """Ensure properties of the overridden request module
+ are still present"""
+ assert isinstance(urllib3.request, types.ModuleType)
+ expected_attrs = {"RequestMethods", "encode_multipart_formdata",
"urlencode"}
+ assert set(dir(urllib3.request)).issuperset(expected_attrs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/test/test_retry.py
new/urllib3-1.26.17/test/test_retry.py
--- old/urllib3-1.26.16/test/test_retry.py 2023-05-23 12:51:05.000000000
+0200
+++ new/urllib3-1.26.17/test/test_retry.py 2023-10-02 19:18:24.000000000
+0200
@@ -293,12 +293,12 @@
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert list(retry.remove_headers_on_redirect) == ["authorization"]
+ assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
- assert list(retry.remove_headers_on_redirect) == ["x-api-secret"]
+ assert retry.remove_headers_on_redirect == {"x-api-secret"}
@pytest.mark.parametrize("value", ["-1", "+1", "1.0", six.u("\xb2")]) #
\xb2 = ^2
def test_parse_retry_after_invalid(self, value):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.16/test/test_retry_deprecated.py
new/urllib3-1.26.17/test/test_retry_deprecated.py
--- old/urllib3-1.26.16/test/test_retry_deprecated.py 2023-05-23
12:51:05.000000000 +0200
+++ new/urllib3-1.26.17/test/test_retry_deprecated.py 2023-10-02
19:18:24.000000000 +0200
@@ -295,7 +295,7 @@
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert list(retry.remove_headers_on_redirect) == ["authorization"]
+ assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-1.26.16/test/with_dummyserver/test_poolmanager.py
new/urllib3-1.26.17/test/with_dummyserver/test_poolmanager.py
--- old/urllib3-1.26.16/test/with_dummyserver/test_poolmanager.py
2023-05-23 12:51:05.000000000 +0200
+++ new/urllib3-1.26.17/test/with_dummyserver/test_poolmanager.py
2023-10-02 19:18:24.000000000 +0200
@@ -141,7 +141,7 @@
"GET",
"%s/redirect" % self.base_url,
fields={"target": "%s/headers" % self.base_url_alt},
- headers={"Authorization": "foo"},
+ headers={"Authorization": "foo", "Cookie": "foo=bar"},
)
assert r.status == 200
@@ -149,12 +149,13 @@
data = json.loads(r.data.decode("utf-8"))
assert "Authorization" not in data
+ assert "Cookie" not in data
r = http.request(
"GET",
"%s/redirect" % self.base_url,
fields={"target": "%s/headers" % self.base_url_alt},
- headers={"authorization": "foo"},
+ headers={"authorization": "foo", "cookie": "foo=bar"},
)
assert r.status == 200
@@ -163,6 +164,8 @@
assert "authorization" not in data
assert "Authorization" not in data
+ assert "cookie" not in data
+ assert "Cookie" not in data
def test_redirect_cross_host_no_remove_headers(self):
with PoolManager() as http:
@@ -170,7 +173,7 @@
"GET",
"%s/redirect" % self.base_url,
fields={"target": "%s/headers" % self.base_url_alt},
- headers={"Authorization": "foo"},
+ headers={"Authorization": "foo", "Cookie": "foo=bar"},
retries=Retry(remove_headers_on_redirect=[]),
)
@@ -179,6 +182,7 @@
data = json.loads(r.data.decode("utf-8"))
assert data["Authorization"] == "foo"
+ assert data["Cookie"] == "foo=bar"
def test_redirect_cross_host_set_removed_headers(self):
with PoolManager() as http:
@@ -186,7 +190,11 @@
"GET",
"%s/redirect" % self.base_url,
fields={"target": "%s/headers" % self.base_url_alt},
- headers={"X-API-Secret": "foo", "Authorization": "bar"},
+ headers={
+ "X-API-Secret": "foo",
+ "Authorization": "bar",
+ "Cookie": "foo=bar",
+ },
retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
)
@@ -196,12 +204,17 @@
assert "X-API-Secret" not in data
assert data["Authorization"] == "bar"
+ assert data["Cookie"] == "foo=bar"
r = http.request(
"GET",
"%s/redirect" % self.base_url,
fields={"target": "%s/headers" % self.base_url_alt},
- headers={"x-api-secret": "foo", "authorization": "bar"},
+ headers={
+ "x-api-secret": "foo",
+ "authorization": "bar",
+ "cookie": "foo=bar",
+ },
retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
)
@@ -212,6 +225,7 @@
assert "x-api-secret" not in data
assert "X-API-Secret" not in data
assert data["Authorization"] == "bar"
+ assert data["Cookie"] == "foo=bar"
def test_redirect_without_preload_releases_connection(self):
with PoolManager(block=True, maxsize=2) as http:
