Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3 for openSUSE:Factory
checked in at 2023-10-06 21:12:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3"
Fri Oct 6 21:12:45 2023 rev:62 rq:1115892 version:2.0.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes
2023-09-21 22:20:26.655195388 +0200
+++ /work/SRC/openSUSE:Factory/.python-urllib3.new.28202/python-urllib3.changes
2023-10-06 21:13:20.689474072 +0200
@@ -1,0 +2,13 @@
+Thu Oct 5 15:47:36 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com>
+
+- update to 2.0.6 (bsc#1215968, CVE-2023-43804):
+ * Added the Cookie header to the list of headers to strip from
+ requests when redirecting to a different host. As before, different
+ headers can be set via Retry.remove_headers_on_redirect
+- 2.0.5:
+ * Allowed pyOpenSSL third-party module without any deprecation
+ warning. #3126
+ * Fixed default blocksize of HTTPConnection classes to match
+ high-level classes. Previously was 8KiB, now 16KiB. #3066
+
+-------------------------------------------------------------------
Old:
----
urllib3-2.0.4.tar.gz
New:
----
urllib3-2.0.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3.spec ++++++
--- /var/tmp/diff_new_pack.bgQjkV/_old 2023-10-06 21:13:21.737511936 +0200
+++ /var/tmp/diff_new_pack.bgQjkV/_new 2023-10-06 21:13:21.741512080 +0200
@@ -26,7 +26,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-urllib3%{psuffix}
-Version: 2.0.4
+Version: 2.0.6
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
++++++ urllib3-2.0.4.tar.gz -> urllib3-2.0.6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/CHANGES.rst
new/urllib3-2.0.6/CHANGES.rst
--- old/urllib3-2.0.4/CHANGES.rst 2023-07-19 16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/CHANGES.rst 2023-10-02 19:07:11.000000000 +0200
@@ -1,3 +1,15 @@
+2.0.6 (2023-10-02)
+==================
+
+* Added the ``Cookie`` header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can be set
via ``Retry.remove_headers_on_redirect``.
+
+2.0.5 (2023-09-20)
+==================
+
+- Allowed pyOpenSSL third-party module without any deprecation warning.
(`#3126 <https://github.com/urllib3/urllib3/issues/3126>`__)
+- Fixed default ``blocksize`` of ``HTTPConnection`` classes to match
high-level classes. Previously was 8KiB, now 16KiB. (`#3066
<https://github.com/urllib3/urllib3/issues/3066>`__)
+
+
2.0.4 (2023-07-19)
==================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/PKG-INFO new/urllib3-2.0.6/PKG-INFO
--- old/urllib3-2.0.4/PKG-INFO 2023-07-19 16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/PKG-INFO 2023-10-02 19:07:11.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 2.0.4
+Version: 2.0.6
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Project-URL: Changelog,
https://github.com/urllib3/urllib3/blob/main/CHANGES.rst
Project-URL: Documentation, https://urllib3.readthedocs.io
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/dev-requirements.txt
new/urllib3-2.0.6/dev-requirements.txt
--- old/urllib3-2.0.4/dev-requirements.txt 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/dev-requirements.txt 2023-10-02 19:07:11.000000000
+0200
@@ -7,7 +7,7 @@
# We have to install at most cryptography 39.0.2 for PyPy<7.3.10
# versions of Python 3.7, 3.8, and 3.9.
cryptography==39.0.2;implementation_name=="pypy" and
implementation_version<"7.3.10"
-cryptography==41.0.2;implementation_name!="pypy" or
implementation_version>="7.3.10"
+cryptography==41.0.4;implementation_name!="pypy" or
implementation_version>="7.3.10"
backports.zoneinfo==0.2.1;python_version<"3.9"
-towncrier==21.9.0
+towncrier==23.6.0
pytest-memray==1.4.0;python_version>="3.8" and python_version<"3.12" and
sys_platform!="win32" and implementation_name=="cpython"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/docs/advanced-usage.rst
new/urllib3-2.0.6/docs/advanced-usage.rst
--- old/urllib3-2.0.4/docs/advanced-usage.rst 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/docs/advanced-usage.rst 2023-10-02 19:07:11.000000000
+0200
@@ -198,23 +198,23 @@
* HTTP proxy + HTTP destination
Your request will be forwarded with the `absolute URI
- <https://tools.ietf.org/html/rfc7230#section-5.3.2>`_.
+ <https://datatracker.ietf.org/doc/html/rfc9112#name-absolute-form>`_.
* HTTP proxy + HTTPS destination
A TCP tunnel will be established with a `HTTP
- CONNECT <https://tools.ietf.org/html/rfc7231#section-4.3.6>`_. Afterward a
+ CONNECT <https://datatracker.ietf.org/doc/html/rfc9110#name-connect>`_.
Afterward a
TLS connection will be established with the destination and your request
will be sent.
* HTTPS proxy + HTTP destination
A TLS connection will be established to the proxy and later your request
will be forwarded with the `absolute URI
- <https://tools.ietf.org/html/rfc7230#section-5.3.2>`_.
+ <https://datatracker.ietf.org/doc/html/rfc9112#name-absolute-form>`_.
* HTTPS proxy + HTTPS destination
A TLS-in-TLS tunnel will be established. An initial TLS connection will be
established to the proxy, then an `HTTP CONNECT
- <https://tools.ietf.org/html/rfc7231#section-4.3.6>`_ will be sent to
+ <https://datatracker.ietf.org/doc/html/rfc9110#name-connect>`_ will be
sent to
establish a TCP connection to the destination and finally a second TLS
connection will be established to the destination. You can customize the
:class:`ssl.SSLContext` used for the proxy TLS connection through the
@@ -222,7 +222,7 @@
class.
For HTTPS proxies we also support forwarding your requests to HTTPS
destinations with
-an `absolute URI <https://tools.ietf.org/html/rfc7230#section-5.3.2>`_ if the
+an `absolute URI
<https://datatracker.ietf.org/doc/html/rfc9112#name-absolute-form>`_ if the
``use_forwarding_for_https`` argument is set to ``True``. We strongly
recommend you
**only use this option with trusted or corporate proxies** as the proxy will
have
full visibility of your requests.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/docs/reference/contrib/pyopenssl.rst
new/urllib3-2.0.6/docs/reference/contrib/pyopenssl.rst
--- old/urllib3-2.0.4/docs/reference/contrib/pyopenssl.rst 2023-07-19
16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/docs/reference/contrib/pyopenssl.rst 2023-10-02
19:07:11.000000000 +0200
@@ -1,8 +1,5 @@
PyOpenSSL
=========
-.. warning::
- DEPRECATED: This module is deprecated and will be removed in urllib3
v2.1.0.
- Read more in this `issue
<https://github.com/urllib3/urllib3/issues/2680>`_.
.. automodule:: urllib3.contrib.pyopenssl
:members:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/docs/requirements.txt
new/urllib3-2.0.6/docs/requirements.txt
--- old/urllib3-2.0.4/docs/requirements.txt 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/docs/requirements.txt 2023-10-02 19:07:11.000000000
+0200
@@ -1,5 +1,6 @@
-r ../dev-requirements.txt
-sphinx>3.0.0
+# https://github.com/sphinx-doc/sphinx/issues/11662#issuecomment-1713887182
+sphinx>3.0.0,<7.2.5
requests
furo
sphinx-copybutton
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/docs/user-guide.rst
new/urllib3-2.0.6/docs/user-guide.rst
--- old/urllib3-2.0.4/docs/user-guide.rst 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/docs/user-guide.rst 2023-10-02 19:07:11.000000000
+0200
@@ -238,6 +238,9 @@
print(resp.json())
# {"cookies": {"id": "30", "session": "f3efe9db"}}
+Note that the ``Cookie`` header will be stripped if the server redirects to a
+different host.
+
Cookies provided by the server are stored in the ``Set-Cookie`` header:
.. code-block:: python
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/pyproject.toml
new/urllib3-2.0.6/pyproject.toml
--- old/urllib3-2.0.4/pyproject.toml 2023-07-19 16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/pyproject.toml 2023-10-02 19:07:11.000000000 +0200
@@ -87,7 +87,6 @@
"error",
'''default:urllib3 v2.0 only supports OpenSSL 1.1.1+.*''',
'''default:'urllib3\[secure\]' extra is deprecated and will be removed in
urllib3 v2\.1\.0.*:DeprecationWarning''',
- '''default:'urllib3\.contrib\.pyopenssl' module is deprecated and will be
removed in urllib3 v2\.1\.0.*:DeprecationWarning''',
'''default:'urllib3\.contrib\.securetransport' module is deprecated and
will be removed in urllib3 v2\.1\.0.*:DeprecationWarning''',
'''default:No IPv6 support. Falling back to
IPv4:urllib3.exceptions.HTTPWarning''',
'''default:No IPv6 support. skipping:urllib3.exceptions.HTTPWarning''',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/src/urllib3/_base_connection.py
new/urllib3-2.0.6/src/urllib3/_base_connection.py
--- old/urllib3-2.0.4/src/urllib3/_base_connection.py 2023-07-19
16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/src/urllib3/_base_connection.py 2023-10-02
19:07:11.000000000 +0200
@@ -151,7 +151,7 @@
*,
timeout: _TYPE_TIMEOUT = _DEFAULT_TIMEOUT,
source_address: tuple[str, int] | None = None,
- blocksize: int = 8192,
+ blocksize: int = 16384,
socket_options: _TYPE_SOCKET_OPTIONS | None = ...,
proxy: Url | None = None,
proxy_config: ProxyConfig | None = None,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/src/urllib3/_version.py
new/urllib3-2.0.6/src/urllib3/_version.py
--- old/urllib3-2.0.4/src/urllib3/_version.py 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/src/urllib3/_version.py 2023-10-02 19:07:11.000000000
+0200
@@ -1,4 +1,4 @@
# This file is protected via CODEOWNERS
from __future__ import annotations
-__version__ = "2.0.4"
+__version__ = "2.0.6"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/src/urllib3/connection.py
new/urllib3-2.0.6/src/urllib3/connection.py
--- old/urllib3-2.0.4/src/urllib3/connection.py 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/src/urllib3/connection.py 2023-10-02 19:07:11.000000000
+0200
@@ -137,7 +137,7 @@
*,
timeout: _TYPE_TIMEOUT = _DEFAULT_TIMEOUT,
source_address: tuple[str, int] | None = None,
- blocksize: int = 8192,
+ blocksize: int = 16384,
socket_options: None
| (connection._TYPE_SOCKET_OPTIONS) = default_socket_options,
proxy: Url | None = None,
@@ -512,7 +512,7 @@
*,
timeout: _TYPE_TIMEOUT = _DEFAULT_TIMEOUT,
source_address: tuple[str, int] | None = None,
- blocksize: int = 8192,
+ blocksize: int = 16384,
socket_options: None
| (connection._TYPE_SOCKET_OPTIONS) =
HTTPConnection.default_socket_options,
proxy: Url | None = None,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/src/urllib3/contrib/pyopenssl.py
new/urllib3-2.0.6/src/urllib3/contrib/pyopenssl.py
--- old/urllib3-2.0.4/src/urllib3/contrib/pyopenssl.py 2023-07-19
16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/src/urllib3/contrib/pyopenssl.py 2023-10-02
19:07:11.000000000 +0200
@@ -54,21 +54,12 @@
import logging
import ssl
import typing
-import warnings
from io import BytesIO
from socket import socket as socket_cls
from socket import timeout
from .. import util
-warnings.warn(
- "'urllib3.contrib.pyopenssl' module is deprecated and will be removed "
- "in urllib3 v2.1.0. Read more in this issue: "
- "https://github.com/urllib3/urllib3/issues/2680";,
- category=DeprecationWarning,
- stacklevel=2,
-)
-
if typing.TYPE_CHECKING:
from OpenSSL.crypto import X509 # type: ignore[import]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/src/urllib3/response.py
new/urllib3-2.0.6/src/urllib3/response.py
--- old/urllib3-2.0.4/src/urllib3/response.py 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/src/urllib3/response.py 2023-10-02 19:07:11.000000000
+0200
@@ -878,11 +878,7 @@
data = self._raw_read(amt)
- flush_decoder = False
- if amt is None:
- flush_decoder = True
- elif amt != 0 and not data:
- flush_decoder = True
+ flush_decoder = amt is None or (amt != 0 and not data)
if not data and len(self._decoded_buffer) == 0:
return data
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/src/urllib3/util/retry.py
new/urllib3-2.0.6/src/urllib3/util/retry.py
--- old/urllib3-2.0.4/src/urllib3/util/retry.py 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/src/urllib3/util/retry.py 2023-10-02 19:07:11.000000000
+0200
@@ -187,7 +187,7 @@
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.4/test/test_retry.py
new/urllib3-2.0.6/test/test_retry.py
--- old/urllib3-2.0.4/test/test_retry.py 2023-07-19 16:46:02.000000000
+0200
+++ new/urllib3-2.0.6/test/test_retry.py 2023-10-02 19:07:11.000000000
+0200
@@ -334,12 +334,12 @@
def test_retry_default_remove_headers_on_redirect(self) -> None:
retry = Retry()
- assert list(retry.remove_headers_on_redirect) == ["authorization"]
+ assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
def test_retry_set_remove_headers_on_redirect(self) -> None:
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
- assert list(retry.remove_headers_on_redirect) == ["x-api-secret"]
+ assert retry.remove_headers_on_redirect == {"x-api-secret"}
@pytest.mark.parametrize("value", ["-1", "+1", "1.0", "\xb2"]) # \xb2 = ^2
def test_parse_retry_after_invalid(self, value: str) -> None:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-2.0.4/test/with_dummyserver/test_poolmanager.py
new/urllib3-2.0.6/test/with_dummyserver/test_poolmanager.py
--- old/urllib3-2.0.4/test/with_dummyserver/test_poolmanager.py 2023-07-19
16:46:02.000000000 +0200
+++ new/urllib3-2.0.6/test/with_dummyserver/test_poolmanager.py 2023-10-02
19:07:11.000000000 +0200
@@ -141,7 +141,7 @@
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"Authorization": "foo"},
+ headers={"Authorization": "foo", "Cookie": "foo=bar"},
)
assert r.status == 200
@@ -149,12 +149,13 @@
data = r.json()
assert "Authorization" not in data
+ assert "Cookie" not in data
r = http.request(
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"authorization": "foo"},
+ headers={"authorization": "foo", "cookie": "foo=bar"},
)
assert r.status == 200
@@ -163,6 +164,8 @@
assert "authorization" not in data
assert "Authorization" not in data
+ assert "cookie" not in data
+ assert "Cookie" not in data
def test_redirect_cross_host_no_remove_headers(self) -> None:
with PoolManager() as http:
@@ -170,7 +173,7 @@
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"Authorization": "foo"},
+ headers={"Authorization": "foo", "Cookie": "foo=bar"},
retries=Retry(remove_headers_on_redirect=[]),
)
@@ -179,6 +182,7 @@
data = r.json()
assert data["Authorization"] == "foo"
+ assert data["Cookie"] == "foo=bar"
def test_redirect_cross_host_set_removed_headers(self) -> None:
with PoolManager() as http:
@@ -186,7 +190,11 @@
"GET",
f"{self.base_url}/redirect",
fields={"target": f"{self.base_url_alt}/headers"},
- headers={"X-API-Secret": "foo", "Authorization": "bar"},
+ headers={
+ "X-API-Secret": "foo",
+ "Authorization": "bar",
+ "Cookie": "foo=bar",
+ },
retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
)
@@ -196,8 +204,13 @@
assert "X-API-Secret" not in data
assert data["Authorization"] == "bar"
+ assert data["Cookie"] == "foo=bar"
- headers = {"x-api-secret": "foo", "authorization": "bar"}
+ headers = {
+ "x-api-secret": "foo",
+ "authorization": "bar",
+ "cookie": "foo=bar",
+ }
r = http.request(
"GET",
f"{self.base_url}/redirect",
@@ -213,9 +226,14 @@
assert "x-api-secret" not in data
assert "X-API-Secret" not in data
assert data["Authorization"] == "bar"
+ assert data["Cookie"] == "foo=bar"
# Ensure the header argument itself is not modified in-place.
- assert headers == {"x-api-secret": "foo", "authorization": "bar"}
+ assert headers == {
+ "x-api-secret": "foo",
+ "authorization": "bar",
+ "cookie": "foo=bar",
+ }
def test_redirect_without_preload_releases_connection(self) -> None:
with PoolManager(block=True, maxsize=2) as http:
