diff options
| author | Chee Yang Lee <chee.yang.lee@intel.com> | 2023-07-06 14:07:09 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-07-20 12:10:40 -1000 |
| commit | 02f174035101a78165c5c706f777944f448e6b69 (patch) | |
| tree | bc1593265c52502987ddf9772695b7da0f63ad7f /meta/recipes-devtools/python/python3-requests | |
| parent | 5f453b96a67acfefbabef9680a02c3763b1ac3dd (diff) | |
| download | poky-02f174035101a78165c5c706f777944f448e6b69.tar.gz | |
python3-requests: fix CVE-2023-32681
(From OE-Core rev: 11b6e64c07df043441824511c931fb0bc9673adc)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/python/python3-requests')
| -rw-r--r-- | meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch b/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch new file mode 100644 index 0000000000..0110615572 --- /dev/null +++ b/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch | |||
| @@ -0,0 +1,61 @@ | |||
| 1 | From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nate Prewitt <nate.prewitt@gmail.com> | ||
| 3 | Date: Mon, 22 May 2023 08:08:57 -0700 | ||
| 4 | Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q | ||
| 5 | |||
| 6 | CVE: CVE-2023-32681 | ||
| 7 | Upstream-Status: Backport | ||
| 8 | [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] | ||
| 9 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
| 10 | |||
| 11 | --- | ||
| 12 | requests/sessions.py | 4 +++- | ||
| 13 | tests/test_requests.py | 20 ++++++++++++++++++++ | ||
| 14 | 2 files changed, 23 insertions(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/requests/sessions.py b/requests/sessions.py | ||
| 17 | index 6cb3b4dae3..dbcf2a7b0e 100644 | ||
| 18 | --- a/requests/sessions.py | ||
| 19 | +++ b/requests/sessions.py | ||
| 20 | @@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies): | ||
| 21 | except KeyError: | ||
| 22 | username, password = None, None | ||
| 23 | |||
| 24 | - if username and password: | ||
| 25 | + # urllib3 handles proxy authorization for us in the standard adapter. | ||
| 26 | + # Avoid appending this to TLS tunneled requests where it may be leaked. | ||
| 27 | + if not scheme.startswith('https') and username and password: | ||
| 28 | headers["Proxy-Authorization"] = _basic_auth_str(username, password) | ||
| 29 | |||
| 30 | return new_proxies | ||
| 31 | diff --git a/tests/test_requests.py b/tests/test_requests.py | ||
| 32 | index b1c8dd4534..b420c44d73 100644 | ||
| 33 | --- a/tests/test_requests.py | ||
| 34 | +++ b/tests/test_requests.py | ||
| 35 | @@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin): | ||
| 36 | |||
| 37 | assert sent_headers.get("Proxy-Authorization") == proxy_auth_value | ||
| 38 | |||
| 39 | + | ||
| 40 | + @pytest.mark.parametrize( | ||
| 41 | + "url,has_proxy_auth", | ||
| 42 | + ( | ||
| 43 | + ('http://example.com', True), | ||
| 44 | + ('https://example.com', False), | ||
| 45 | + ), | ||
| 46 | + ) | ||
| 47 | + def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): | ||
| 48 | + session = requests.Session() | ||
| 49 | + proxies = { | ||
| 50 | + 'http': 'http://test:pass@localhost:8080', | ||
| 51 | + 'https': 'http://test:pass@localhost:8090', | ||
| 52 | + } | ||
| 53 | + req = requests.Request('GET', url) | ||
| 54 | + prep = req.prepare() | ||
| 55 | + session.rebuild_proxies(prep, proxies) | ||
| 56 | + | ||
| 57 | + assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth | ||
| 58 | + | ||
| 59 | def test_basicauth_with_netrc(self, httpbin): | ||
| 60 | auth = ("user", "pass") | ||
| 61 | wrong_auth = ("wronguser", "wrongpass") | ||