Hello community, here is the log from the commit of package python-urllib3 for openSUSE:Factory checked in at 2019-04-20 17:12:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old) and /work/SRC/openSUSE:Factory/.python-urllib3.new.5536 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3" Sat Apr 20 17:12:08 2019 rev:26 rq:695347 version:1.24.2 Changes: -------- --- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes 2019-01-03 18:04:49.292236716 +0100 +++ /work/SRC/openSUSE:Factory/.python-urllib3.new.5536/python-urllib3.changes 2019-04-20 17:12:14.378839722 +0200 @@ -1,0 +2,31 @@ +Thu Apr 18 00:02:07 CEST 2019 - Matej Cepl <mc...@suse.com> + +- Update to 1.24.2: + - Implemented a more efficient HTTPResponse.__iter__() method. + (Issue #1483) + - Upgraded urllib3.utils.parse_url() to be RFC 3986 compliant. + (Pull #1487) + - Remove Authorization header regardless of case when + redirecting to cross-site. (Issue #1510) + - Added support for key_password for HTTPSConnectionPool to use + encrypted key_file without creating your own SSLContext + object. (Pull #1489) + - Fixed issue where OpenSSL would block if an encrypted client + private key was given and no password was given. Instead an + SSLError is raised. (Pull #1489) + - Require and validate certificates by default when using HTTPS + (Pull #1507) + - Added support for Brotli content encoding. It is enabled + automatically if brotlipy package is installed which can be + requested with urllib3[brotli] extra. (Pull #1532) + - Add TLSv1.3 support to CPython, pyOpenSSL, and + SecureTransport SSLContext implementations. (Pull #1496) + - Drop ciphers using DSS key exchange from default TLS cipher + suites. Improve default ciphers when using SecureTransport. + (Pull #1496) + - Add support for IPv6 addresses in subjectAltName section of + certificates. (Issue #1269) + - Switched the default multipart header encoder from RFC 2231 + to HTML 5 working draft. (Issue #303, PR #1492) + +------------------------------------------------------------------- Old: ---- urllib3-1.24.1.tar.gz New: ---- urllib3-1.24.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-urllib3.spec ++++++ --- /var/tmp/diff_new_pack.ownbl4/_old 2019-04-20 17:12:16.318842650 +0200 +++ /var/tmp/diff_new_pack.ownbl4/_new 2019-04-20 17:12:16.322842656 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-urllib3 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,7 +31,7 @@ %else Name: python-urllib3 %endif -Version: 1.24.1 +Version: 1.24.2 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT ++++++ urllib3-1.24.1.tar.gz -> urllib3-1.24.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/CHANGES.rst new/urllib3-1.24.2/CHANGES.rst --- old/urllib3-1.24.1/CHANGES.rst 2018-11-02 20:08:50.000000000 +0100 +++ new/urllib3-1.24.2/CHANGES.rst 2019-04-17 19:47:29.000000000 +0200 @@ -1,12 +1,23 @@ Changes ======= +1.24.2 (2019-04-17) +------------------- + +* Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or + ``ssl_context`` parameters are specified. + +* Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510) + +* Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269) + + 1.24.1 (2018-11-02) ------------------- * Remove quadratic behavior within ``GzipDecoder.decompress()`` (Issue #1467) -* Restored functionality of `ciphers` parameter for `create_urllib3_context()`. (Issue #1462) +* Restored functionality of ``ciphers`` parameter for ``create_urllib3_context()``. (Issue #1462) 1.24 (2018-10-16) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/CONTRIBUTORS.txt new/urllib3-1.24.2/CONTRIBUTORS.txt --- old/urllib3-1.24.1/CONTRIBUTORS.txt 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/CONTRIBUTORS.txt 2019-04-17 19:46:49.000000000 +0200 @@ -272,5 +272,8 @@ * Justin Bramley <https://github.com/jbramleycl> * Add ability to handle multiple Content-Encodings +* Katsuhiko YOSHIDA <https://github.com/kyoshidajp> + * Remove Authorization header regardless of case when redirecting to cross-site + * [Your name or handle] <[email or website]> * [Brief summary of your changes] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/PKG-INFO new/urllib3-1.24.2/PKG-INFO --- old/urllib3-1.24.1/PKG-INFO 2018-11-02 20:11:08.000000000 +0100 +++ new/urllib3-1.24.2/PKG-INFO 2019-04-17 19:49:35.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: urllib3 -Version: 1.24.1 +Version: 1.24.2 Summary: HTTP library with thread-safe connection pooling, file post, and more. Home-page: https://urllib3.readthedocs.io/ Author: Andrey Petrov @@ -119,12 +119,23 @@ Changes ======= + 1.24.2 (2019-04-17) + ------------------- + + * Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or + ``ssl_context`` parameters are specified. + + * Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510) + + * Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269) + + 1.24.1 (2018-11-02) ------------------- * Remove quadratic behavior within ``GzipDecoder.decompress()`` (Issue #1467) - * Restored functionality of `ciphers` parameter for `create_urllib3_context()`. (Issue #1462) + * Restored functionality of ``ciphers`` parameter for ``create_urllib3_context()``. (Issue #1462) 1.24 (2018-10-16) @@ -1097,5 +1108,5 @@ Classifier: Topic :: Internet :: WWW/HTTP Classifier: Topic :: Software Development :: Libraries Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, <4 -Provides-Extra: socks Provides-Extra: secure +Provides-Extra: socks diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/dummyserver/certs/server.ipv6_san.crt new/urllib3-1.24.2/dummyserver/certs/server.ipv6_san.crt --- old/urllib3-1.24.1/dummyserver/certs/server.ipv6_san.crt 1970-01-01 01:00:00.000000000 +0100 +++ new/urllib3-1.24.2/dummyserver/certs/server.ipv6_san.crt 2019-04-17 19:46:49.000000000 +0200 @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICfTCCAeagAwIBAgIJAPcpn3/M5+piMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTgxMjE5MDUyMjUyWhcNNDgxMjE4MDUyMjUyWjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDXe3FqmCWvP8XPxqtT+0bfL1Tvzvebi46k0WIcUV8bP3vyYiSRXG9ALmyzZH4G +HY9UVs4OEDkCMDOBSezB0y9ai/9doTNcaictdEBu8nfdXKoTtzrn+VX4UPrkH5hm +7NQ1fTQuj1MR7yBCmYqN3Q2Q+Efuujyx0FwBzAuy1aKYuwIDAQABo3UwczAdBgNV +HQ4EFgQUG+dK5Uos08QUwAWofDb3a8YcYlIwHwYDVR0jBBgwFoAUG+dK5Uos08QU +wAWofDb3a8YcYlIwDwYDVR0TAQH/BAUwAwEB/zAgBgNVHREEGTAXggM6OjGHEAAA +AAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAjT767TDq6q4lOextf3tZ +BjeuYDUy7bb1fDBAN5rBT1ywr7r0JE6/KOnsZx4jbevx3MllxNpx0gOM2bgwJlnG +8tgwRB6pxDyln01WBj9b5ymK60jdkw7gg3yYpqEs5/VBQidFO3BmDqf5cGO8PU7p +0VWdfJBP2UbwblNXdImI1zk= +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/dummyserver/server.py new/urllib3-1.24.2/dummyserver/server.py --- old/urllib3-1.24.1/dummyserver/server.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/dummyserver/server.py 2019-04-17 19:47:29.000000000 +0200 @@ -58,11 +58,16 @@ 'certfile': os.path.join(CERTS_PATH, 'server.ipv6addr.crt'), 'keyfile': os.path.join(CERTS_PATH, 'server.ipv6addr.key'), } +IPV6_SAN_CERTS = { + 'certfile': os.path.join(CERTS_PATH, 'server.ipv6_san.crt'), + 'keyfile': DEFAULT_CERTS['keyfile'] +} DEFAULT_CA = os.path.join(CERTS_PATH, 'cacert.pem') DEFAULT_CA_BAD = os.path.join(CERTS_PATH, 'client_bad.pem') NO_SAN_CA = os.path.join(CERTS_PATH, 'cacert.no_san.pem') DEFAULT_CA_DIR = os.path.join(CERTS_PATH, 'ca_path_test') IPV6_ADDR_CA = os.path.join(CERTS_PATH, 'server.ipv6addr.crt') +IPV6_SAN_CA = os.path.join(CERTS_PATH, 'server.ipv6_san.crt') COMBINED_CERT_AND_KEY = os.path.join(CERTS_PATH, 'server.combined.pem') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3/__init__.py new/urllib3-1.24.2/src/urllib3/__init__.py --- old/urllib3-1.24.1/src/urllib3/__init__.py 2018-11-02 20:09:02.000000000 +0100 +++ new/urllib3-1.24.2/src/urllib3/__init__.py 2019-04-17 19:47:29.000000000 +0200 @@ -27,7 +27,7 @@ __author__ = 'Andrey Petrov (andrey.pet...@shazow.net)' __license__ = 'MIT' -__version__ = '1.24.1' +__version__ = '1.24.2' __all__ = ( 'HTTPConnectionPool', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3/contrib/pyopenssl.py new/urllib3-1.24.2/src/urllib3/contrib/pyopenssl.py --- old/urllib3-1.24.1/src/urllib3/contrib/pyopenssl.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/src/urllib3/contrib/pyopenssl.py 2019-04-17 19:47:29.000000000 +0200 @@ -184,6 +184,9 @@ except idna.core.IDNAError: return None + if ':' in name: + return name + name = idna_encode(name) if name is None: return None diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3/poolmanager.py new/urllib3-1.24.2/src/urllib3/poolmanager.py --- old/urllib3-1.24.1/src/urllib3/poolmanager.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/src/urllib3/poolmanager.py 2019-04-17 19:47:29.000000000 +0200 @@ -7,6 +7,7 @@ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool from .connectionpool import port_by_scheme from .exceptions import LocationValueError, MaxRetryError, ProxySchemeUnknown +from .packages import six from .packages.six.moves.urllib.parse import urljoin from .request import RequestMethods from .util.url import parse_url @@ -342,8 +343,10 @@ # conn.is_same_host() which may use socket.gethostbyname() in the future. if (retries.remove_headers_on_redirect and not conn.is_same_host(redirect_location)): - for header in retries.remove_headers_on_redirect: - kw['headers'].pop(header, None) + headers = list(six.iterkeys(kw['headers'])) + for header in headers: + if header.lower() in retries.remove_headers_on_redirect: + kw['headers'].pop(header, None) try: retries = retries.increment(method, url, response=response, _pool=conn) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3/util/retry.py new/urllib3-1.24.2/src/urllib3/util/retry.py --- old/urllib3-1.24.1/src/urllib3/util/retry.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/src/urllib3/util/retry.py 2019-04-17 19:46:49.000000000 +0200 @@ -179,7 +179,8 @@ self.raise_on_status = raise_on_status self.history = history or tuple() self.respect_retry_after_header = respect_retry_after_header - self.remove_headers_on_redirect = remove_headers_on_redirect + self.remove_headers_on_redirect = frozenset([ + h.lower() for h in remove_headers_on_redirect]) def new(self, **kw): params = dict( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3/util/ssl_.py new/urllib3-1.24.2/src/urllib3/util/ssl_.py --- old/urllib3-1.24.1/src/urllib3/util/ssl_.py 2018-11-02 20:07:12.000000000 +0100 +++ new/urllib3-1.24.2/src/urllib3/util/ssl_.py 2019-04-17 19:47:29.000000000 +0200 @@ -327,7 +327,10 @@ if e.errno == errno.ENOENT: raise SSLError(e) raise - elif getattr(context, 'load_default_certs', None) is not None: + + # Don't load system certs unless there were no CA certs or + # SSLContext object specified manually. + elif ssl_context is None and hasattr(context, 'load_default_certs'): # try to load OS default certs; works well on Windows (require Python3.4+) context.load_default_certs() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3.egg-info/PKG-INFO new/urllib3-1.24.2/src/urllib3.egg-info/PKG-INFO --- old/urllib3-1.24.1/src/urllib3.egg-info/PKG-INFO 2018-11-02 20:11:08.000000000 +0100 +++ new/urllib3-1.24.2/src/urllib3.egg-info/PKG-INFO 2019-04-17 19:49:35.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: urllib3 -Version: 1.24.1 +Version: 1.24.2 Summary: HTTP library with thread-safe connection pooling, file post, and more. Home-page: https://urllib3.readthedocs.io/ Author: Andrey Petrov @@ -119,12 +119,23 @@ Changes ======= + 1.24.2 (2019-04-17) + ------------------- + + * Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or + ``ssl_context`` parameters are specified. + + * Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510) + + * Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269) + + 1.24.1 (2018-11-02) ------------------- * Remove quadratic behavior within ``GzipDecoder.decompress()`` (Issue #1467) - * Restored functionality of `ciphers` parameter for `create_urllib3_context()`. (Issue #1462) + * Restored functionality of ``ciphers`` parameter for ``create_urllib3_context()``. (Issue #1462) 1.24 (2018-10-16) @@ -1097,5 +1108,5 @@ Classifier: Topic :: Internet :: WWW/HTTP Classifier: Topic :: Software Development :: Libraries Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, <4 -Provides-Extra: socks Provides-Extra: secure +Provides-Extra: socks diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/src/urllib3.egg-info/SOURCES.txt new/urllib3-1.24.2/src/urllib3.egg-info/SOURCES.txt --- old/urllib3-1.24.1/src/urllib3.egg-info/SOURCES.txt 2018-11-02 20:11:08.000000000 +0100 +++ new/urllib3-1.24.2/src/urllib3.egg-info/SOURCES.txt 2019-04-17 19:49:35.000000000 +0200 @@ -41,6 +41,7 @@ dummyserver/certs/server.crt dummyserver/certs/server.csr dummyserver/certs/server.ip_san.crt +dummyserver/certs/server.ipv6_san.crt dummyserver/certs/server.ipv6addr.crt dummyserver/certs/server.ipv6addr.key dummyserver/certs/server.key diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/test/contrib/test_pyopenssl.py new/urllib3-1.24.2/test/contrib/test_pyopenssl.py --- old/urllib3-1.24.1/test/contrib/test_pyopenssl.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/test/contrib/test_pyopenssl.py 2019-04-17 19:47:29.000000000 +0200 @@ -31,7 +31,10 @@ pass -from ..with_dummyserver.test_https import TestHTTPS, TestHTTPS_TLSv1 # noqa: F401 +from ..with_dummyserver.test_https import ( # noqa: F401 + TestHTTPS, TestHTTPS_TLSv1, TestHTTPS_IPv6Addr, + TestHTTPS_IPSAN, TestHTTPS_NoSAN, TestHTTPS_IPV6SAN +) from ..with_dummyserver.test_socketlevel import ( # noqa: F401 TestSNI, TestSocketClosing, TestClientCerts ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/test/test_retry.py new/urllib3-1.24.2/test/test_retry.py --- old/urllib3-1.24.1/test/test_retry.py 2018-10-05 23:00:05.000000000 +0200 +++ new/urllib3-1.24.2/test/test_retry.py 2019-04-17 19:47:00.000000000 +0200 @@ -253,9 +253,9 @@ def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert list(retry.remove_headers_on_redirect) == ['Authorization'] + assert list(retry.remove_headers_on_redirect) == ['authorization'] def test_retry_set_remove_headers_on_redirect(self): - retry = Retry(remove_headers_on_redirect=['X-API-Secret']) + retry = Retry(remove_headers_on_redirect=['x-api-secret']) - assert list(retry.remove_headers_on_redirect) == ['X-API-Secret'] + assert list(retry.remove_headers_on_redirect) == ['x-api-secret'] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/test/test_ssl.py new/urllib3-1.24.2/test/test_ssl.py --- old/urllib3-1.24.1/test/test_ssl.py 2018-11-02 20:07:12.000000000 +0100 +++ new/urllib3-1.24.2/test/test_ssl.py 2019-04-17 19:47:00.000000000 +0200 @@ -88,3 +88,40 @@ assert context.set_ciphers.call_count == 1 assert context.set_ciphers.call_args == mock.call(expected_ciphers) + + +def test_wrap_socket_given_context_no_load_default_certs(): + context = mock.create_autospec(ssl_.SSLContext) + context.load_default_certs = mock.Mock() + + sock = mock.Mock() + ssl_.ssl_wrap_socket(sock, ssl_context=context) + + context.load_default_certs.assert_not_called() + + +def test_wrap_socket_given_ca_certs_no_load_default_certs(monkeypatch): + context = mock.create_autospec(ssl_.SSLContext) + context.load_default_certs = mock.Mock() + context.options = 0 + + monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context) + + sock = mock.Mock() + ssl_.ssl_wrap_socket(sock, ca_certs="/tmp/fake-file") + + context.load_default_certs.assert_not_called() + context.load_verify_locations.assert_called_with("/tmp/fake-file", None) + + +def test_wrap_socket_default_loads_default_certs(monkeypatch): + context = mock.create_autospec(ssl_.SSLContext) + context.load_default_certs = mock.Mock() + context.options = 0 + + monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context) + + sock = mock.Mock() + ssl_.ssl_wrap_socket(sock) + + context.load_default_certs.assert_called_with() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/test/with_dummyserver/test_https.py new/urllib3-1.24.2/test/with_dummyserver/test_https.py --- old/urllib3-1.24.1/test/with_dummyserver/test_https.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/test/with_dummyserver/test_https.py 2019-04-17 19:47:29.000000000 +0200 @@ -17,7 +17,7 @@ DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS, NO_SAN_CERTS, NO_SAN_CA, DEFAULT_CA_DIR, IPV6_ADDR_CERTS, IPV6_ADDR_CA, HAS_IPV6, - IP_SAN_CERTS) + IP_SAN_CERTS, IPV6_SAN_CA, IPV6_SAN_CERTS) from test import ( onlyPy279OrNewer, @@ -623,6 +623,24 @@ self.addCleanup(https_pool.close) r = https_pool.request('GET', '/') self.assertEqual(r.status, 200) + + +class TestHTTPS_IPV6SAN(IPV6HTTPSDummyServerTestCase): + certs = IPV6_SAN_CERTS + + def test_can_validate_ipv6_san(self): + """Ensure that urllib3 can validate SANs with IPv6 addresses in them.""" + try: + import ipaddress # noqa: F401 + except ImportError: + pytest.skip("Only runs on systems with an ipaddress module") + + https_pool = HTTPSConnectionPool('[::1]', self.port, + cert_reqs='CERT_REQUIRED', + ca_certs=IPV6_SAN_CA) + self.addCleanup(https_pool.close) + r = https_pool.request('GET', '/') + self.assertEqual(r.status, 200) if __name__ == '__main__': diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.24.1/test/with_dummyserver/test_poolmanager.py new/urllib3-1.24.2/test/with_dummyserver/test_poolmanager.py --- old/urllib3-1.24.1/test/with_dummyserver/test_poolmanager.py 2018-10-16 19:45:39.000000000 +0200 +++ new/urllib3-1.24.2/test/with_dummyserver/test_poolmanager.py 2019-04-17 19:47:29.000000000 +0200 @@ -123,6 +123,17 @@ self.assertNotIn('Authorization', data) + r = http.request('GET', '%s/redirect' % self.base_url, + fields={'target': '%s/headers' % self.base_url_alt}, + headers={'authorization': 'foo'}) + + self.assertEqual(r.status, 200) + + data = json.loads(r.data.decode('utf-8')) + + self.assertNotIn('authorization', data) + self.assertNotIn('Authorization', data) + def test_redirect_cross_host_no_remove_headers(self): http = PoolManager() self.addCleanup(http.clear) @@ -155,6 +166,21 @@ self.assertNotIn('X-API-Secret', data) self.assertEqual(data['Authorization'], 'bar') + r = http.request('GET', '%s/redirect' % self.base_url, + fields={'target': '%s/headers' % self.base_url_alt}, + headers={'x-api-secret': 'foo', + 'authorization': 'bar'}, + retries=Retry(remove_headers_on_redirect=['X-API-Secret'])) + + self.assertEqual(r.status, 200) + + data = json.loads(r.data.decode('utf-8')) + + self.assertNotIn('x-api-secret', data) + self.assertNotIn('X-API-Secret', data) + + self.assertEqual(data['Authorization'], 'bar') + def test_raise_on_redirect(self): http = PoolManager() self.addCleanup(http.clear) ++++++ urllib3-ssl-default-context.patch ++++++ --- /var/tmp/diff_new_pack.ownbl4/_old 2019-04-20 17:12:16.494842915 +0200 +++ /var/tmp/diff_new_pack.ownbl4/_new 2019-04-20 17:12:16.494842915 +0200 @@ -1,7 +1,7 @@ --- a/src/urllib3/util/ssl_.py +++ b/src/urllib3/util/ssl_.py -@@ -330,6 +330,8 @@ def ssl_wrap_socket(sock, keyfile=None, - elif getattr(context, 'load_default_certs', None) is not None: +@@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None, + elif ssl_context is None and hasattr(context, 'load_default_certs'): # try to load OS default certs; works well on Windows (require Python3.4+) context.load_default_certs() + elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'):