Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3 for openSUSE:Factory
checked in at 2023-10-19 22:46:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3.new.1945 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3"
Thu Oct 19 22:46:47 2023 rev:64 rq:1118603 version:2.0.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes
2023-10-13 23:13:56.669434075 +0200
+++ /work/SRC/openSUSE:Factory/.python-urllib3.new.1945/python-urllib3.changes
2023-10-19 22:49:07.942377251 +0200
@@ -1,0 +2,7 @@
+Wed Oct 18 14:21:44 UTC 2023 - Daniel Garcia Moreno <daniel.gar...@suse.com>
+
+- update to 2.0.7 (bsc#1216377, CVE-2023-45803):
+ * Made body stripped from HTTP requests changing the request method
+ to GET after HTTP 303 "See Other" redirect responses.
+
+-------------------------------------------------------------------
Old:
----
urllib3-2.0.6.tar.gz
New:
----
urllib3-2.0.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3.spec ++++++
--- /var/tmp/diff_new_pack.P3fmfF/_old 2023-10-19 22:49:08.534398723 +0200
+++ /var/tmp/diff_new_pack.P3fmfF/_new 2023-10-19 22:49:08.534398723 +0200
@@ -26,7 +26,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-urllib3%{psuffix}
-Version: 2.0.6
+Version: 2.0.7
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
++++++ urllib3-2.0.6.tar.gz -> urllib3-2.0.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/CHANGES.rst
new/urllib3-2.0.7/CHANGES.rst
--- old/urllib3-2.0.6/CHANGES.rst 2023-10-02 19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/CHANGES.rst 2023-10-17 19:26:50.000000000 +0200
@@ -1,3 +1,8 @@
+2.0.7 (2023-10-17)
+==================
+
+* Made body stripped from HTTP requests changing the request method to GET
after HTTP 303 "See Other" redirect responses.
+
2.0.6 (2023-10-02)
==================
@@ -167,6 +172,16 @@
* Fixed a socket leak if ``HTTPConnection.connect()`` fails (`#2571
<https://github.com/urllib3/urllib3/pull/2571>`__).
* Fixed ``urllib3.contrib.pyopenssl.WrappedSocket`` and
``urllib3.contrib.securetransport.WrappedSocket`` close methods (`#2970
<https://github.com/urllib3/urllib3/issues/2970>`__)
+1.26.18 (2023-10-17)
+====================
+
+* Made body stripped from HTTP requests changing the request method to GET
after HTTP 303 "See Other" redirect responses.
+
+1.26.17 (2023-10-02)
+====================
+
+* Added the ``Cookie`` header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can be set
via ``Retry.remove_headers_on_redirect``. (`#3139
<https://github.com/urllib3/urllib3/pull/3139>`_)
+
1.26.16 (2023-05-23)
====================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/PKG-INFO new/urllib3-2.0.7/PKG-INFO
--- old/urllib3-2.0.6/PKG-INFO 2023-10-02 19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/PKG-INFO 2023-10-17 19:26:50.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 2.0.6
+Version: 2.0.7
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Project-URL: Changelog,
https://github.com/urllib3/urllib3/blob/main/CHANGES.rst
Project-URL: Documentation, https://urllib3.readthedocs.io
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/dev-requirements.txt
new/urllib3-2.0.7/dev-requirements.txt
--- old/urllib3-2.0.6/dev-requirements.txt 2023-10-02 19:07:11.000000000
+0200
+++ new/urllib3-2.0.7/dev-requirements.txt 2023-10-17 19:26:50.000000000
+0200
@@ -10,4 +10,4 @@
cryptography==41.0.4;implementation_name!="pypy" or
implementation_version>="7.3.10"
backports.zoneinfo==0.2.1;python_version<"3.9"
towncrier==23.6.0
-pytest-memray==1.4.0;python_version>="3.8" and python_version<"3.12" and
sys_platform!="win32" and implementation_name=="cpython"
+pytest-memray==1.4.0;python_version>="3.8" and python_version<"3.13" and
sys_platform!="win32" and implementation_name=="cpython"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/dummyserver/handlers.py
new/urllib3-2.0.7/dummyserver/handlers.py
--- old/urllib3-2.0.6/dummyserver/handlers.py 2023-10-02 19:07:11.000000000
+0200
+++ new/urllib3-2.0.7/dummyserver/handlers.py 2023-10-17 19:26:50.000000000
+0200
@@ -281,6 +281,12 @@
def headers(self, request: httputil.HTTPServerRequest) -> Response:
return Response(json.dumps(dict(request.headers)))
+ def headers_and_params(self, request: httputil.HTTPServerRequest) ->
Response:
+ params = request_params(request)
+ return Response(
+ json.dumps({"headers": dict(request.headers), "params": params})
+ )
+
def multi_headers(self, request: httputil.HTTPServerRequest) -> Response:
return Response(json.dumps({"headers":
list(request.headers.get_all())}))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/src/urllib3/_collections.py
new/urllib3-2.0.7/src/urllib3/_collections.py
--- old/urllib3-2.0.6/src/urllib3/_collections.py 2023-10-02
19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/src/urllib3/_collections.py 2023-10-17
19:26:50.000000000 +0200
@@ -8,7 +8,7 @@
if typing.TYPE_CHECKING:
# We can only import Protocol if TYPE_CHECKING because it's a development
# dependency, and is not available at runtime.
- from typing_extensions import Protocol
+ from typing_extensions import Protocol, Self
class HasGettableStringKeys(Protocol):
def keys(self) -> typing.Iterator[str]:
@@ -391,6 +391,24 @@
# meets our external interface requirement of `Union[List[str],
_DT]`.
return vals[1:]
+ def _prepare_for_method_change(self) -> Self:
+ """
+ Remove content-specific header fields before changing the request
+ method to GET or HEAD according to RFC 9110, Section 15.4.
+ """
+ content_specific_headers = [
+ "Content-Encoding",
+ "Content-Language",
+ "Content-Location",
+ "Content-Type",
+ "Content-Length",
+ "Digest",
+ "Last-Modified",
+ ]
+ for header in content_specific_headers:
+ self.discard(header)
+ return self
+
# Backwards compatibility for httplib
getheaders = getlist
getallmatchingheaders = getlist
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/src/urllib3/_version.py
new/urllib3-2.0.7/src/urllib3/_version.py
--- old/urllib3-2.0.6/src/urllib3/_version.py 2023-10-02 19:07:11.000000000
+0200
+++ new/urllib3-2.0.7/src/urllib3/_version.py 2023-10-17 19:26:50.000000000
+0200
@@ -1,4 +1,4 @@
# This file is protected via CODEOWNERS
from __future__ import annotations
-__version__ = "2.0.6"
+__version__ = "2.0.7"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/src/urllib3/connectionpool.py
new/urllib3-2.0.7/src/urllib3/connectionpool.py
--- old/urllib3-2.0.6/src/urllib3/connectionpool.py 2023-10-02
19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/src/urllib3/connectionpool.py 2023-10-17
19:26:50.000000000 +0200
@@ -11,6 +11,7 @@
from types import TracebackType
from ._base_connection import _TYPE_BODY
+from ._collections import HTTPHeaderDict
from ._request_methods import RequestMethods
from .connection import (
BaseSSLError,
@@ -893,7 +894,11 @@
redirect_location = redirect and response.get_redirect_location()
if redirect_location:
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ body = None
+ headers = HTTPHeaderDict(headers)._prepare_for_method_change()
try:
retries = retries.increment(method, url, response=response,
_pool=self)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/src/urllib3/poolmanager.py
new/urllib3-2.0.7/src/urllib3/poolmanager.py
--- old/urllib3-2.0.6/src/urllib3/poolmanager.py 2023-10-02
19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/src/urllib3/poolmanager.py 2023-10-17
19:26:50.000000000 +0200
@@ -7,7 +7,7 @@
from types import TracebackType
from urllib.parse import urljoin
-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
from ._request_methods import RequestMethods
from .connection import ProxyConfig
from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool,
port_by_scheme
@@ -449,9 +449,12 @@
# Support relative URLs for redirecting.
redirect_location = urljoin(url, redirect_location)
- # RFC 7231, Section 6.4.4
if response.status == 303:
+ # Change the method according to RFC 9110, Section 15.4.4.
method = "GET"
+ # And lose the body not to transfer anything sensitive.
+ kw["body"] = None
+ kw["headers"] =
HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
retries = kw.get("retries")
if not isinstance(retries, Retry):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-2.0.6/src/urllib3/util/ssl_.py
new/urllib3-2.0.7/src/urllib3/util/ssl_.py
--- old/urllib3-2.0.6/src/urllib3/util/ssl_.py 2023-10-02 19:07:11.000000000
+0200
+++ new/urllib3-2.0.7/src/urllib3/util/ssl_.py 2023-10-17 19:26:50.000000000
+0200
@@ -411,8 +411,10 @@
tls_in_tls: bool = False,
) -> ssl.SSLSocket | SSLTransportType:
"""
- All arguments except for server_hostname, ssl_context, and ca_cert_dir have
- the same meaning as they do when using :func:`ssl.wrap_socket`.
+ All arguments except for server_hostname, ssl_context, tls_in_tls,
ca_cert_data and
+ ca_cert_dir have the same meaning as they do when using
+ :func:`ssl.create_default_context`, :meth:`ssl.SSLContext.load_cert_chain`,
+ :meth:`ssl.SSLContext.set_ciphers` and :meth:`ssl.SSLContext.wrap_socket`.
:param server_hostname:
When SNI is supported, the expected hostname of the certificate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-2.0.6/test/with_dummyserver/test_connectionpool.py
new/urllib3-2.0.7/test/with_dummyserver/test_connectionpool.py
--- old/urllib3-2.0.6/test/with_dummyserver/test_connectionpool.py
2023-10-02 19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/test/with_dummyserver/test_connectionpool.py
2023-10-17 19:26:50.000000000 +0200
@@ -480,6 +480,17 @@
assert r.status == 200
assert r.data == b"Dummy server!"
+ def test_303_redirect_makes_request_lose_body(self) -> None:
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ response = pool.request(
+ "POST",
+ "/redirect",
+ fields={"target": "/headers_and_params", "status": "303 See
Other"},
+ )
+ data = response.json()
+ assert data["params"] == {}
+ assert "Content-Type" not in HTTPHeaderDict(data["headers"])
+
def test_bad_connect(self) -> None:
with HTTPConnectionPool("badhost.invalid", self.port) as pool:
with pytest.raises(MaxRetryError) as e:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-2.0.6/test/with_dummyserver/test_poolmanager.py
new/urllib3-2.0.7/test/with_dummyserver/test_poolmanager.py
--- old/urllib3-2.0.6/test/with_dummyserver/test_poolmanager.py 2023-10-02
19:07:11.000000000 +0200
+++ new/urllib3-2.0.7/test/with_dummyserver/test_poolmanager.py 2023-10-17
19:26:50.000000000 +0200
@@ -244,6 +244,20 @@
assert r._pool.num_connections == 1
assert len(http.pools) == 1
+ def test_303_redirect_makes_request_lose_body(self) -> None:
+ with PoolManager() as http:
+ response = http.request(
+ "POST",
+ f"{self.base_url}/redirect",
+ fields={
+ "target": f"{self.base_url}/headers_and_params",
+ "status": "303 See Other",
+ },
+ )
+ data = response.json()
+ assert data["params"] == {}
+ assert "Content-Type" not in HTTPHeaderDict(data["headers"])
+
def test_unknown_scheme(self) -> None:
with PoolManager() as http:
unknown_scheme = "unknown"
