python3-urllib3: fix CVE-2025-50182

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-50182 Upstream patch: https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f (From OE-Core rev: 082b865d9814e7e7aca4466551a035199aa8b563) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-06-26 17:24:59 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-04 07:50:16 -0700
commit: 0372024fe7ab2cea5eddf686f9bee0f8f07a2000 (patch)
tree: e15c57c50b24dfbb7905bcceb3cb29a5988b648e /meta/recipes-devtools/python
parent: 7994e190182c1cf8f1bfa5b58722849b695288ad (diff)
download: poky-0372024fe7ab2cea5eddf686f9bee0f8f07a2000.tar.gz
2 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch
new file mode 100644
index 0000000000..2f6ba478d5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch
@@ -0,0 +1,125 @@
+From 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 18 Jun 2025 16:30:35 +0300
+Subject: [PATCH] Merge commit from fork
+CVE: CVE-2025-50182
+Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ docs/reference/contrib/emscripten.rst      |  2 +-
+ src/urllib3/contrib/emscripten/fetch.py    | 20 ++++++++++
+ test/contrib/emscripten/test_emscripten.py | 46 ++++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 1 deletion(-)
+diff --git a/docs/reference/contrib/emscripten.rst b/docs/reference/contrib/emscripten.rst
+index a8f1cda..4670757 100644
+--- a/docs/reference/contrib/emscripten.rst
+++ b/docs/reference/contrib/emscripten.rst
+@@ -65,7 +65,7 @@ Features which are usable with Emscripten support are:
+ * Timeouts
+ * Retries
+ * Streaming (with Web Workers and Cross-Origin Isolation)
+-* Redirects (determined by browser/runtime, not restrictable with urllib3)
+* Redirects (urllib3 controls redirects in Node.js but not in browsers where behavior is determined by runtime)
+ * Decompressing response bodies
+ Features which don't work with Emscripten:
+diff --git a/src/urllib3/contrib/emscripten/fetch.py b/src/urllib3/contrib/emscripten/fetch.py
+index a514306..6695821 100644
+--- a/src/urllib3/contrib/emscripten/fetch.py
+++ b/src/urllib3/contrib/emscripten/fetch.py
+@@ -573,6 +573,11 @@ def send_jspi_request(
+         "method": request.method,
+         "signal": js_abort_controller.signal,
+     }
+    # Node.js returns the whole response (unlike opaqueredirect in browsers),
+    # so urllib3 can set `redirect: manual` to control redirects itself.
+    # https://stackoverflow.com/a/78524615
+    if _is_node_js():
+        fetch_data["redirect"] = "manual"
+     # Call JavaScript fetch (async api, returns a promise)
+     fetcher_promise_js = js.fetch(request.url, _obj_from_dict(fetch_data))
+     # Now suspend WebAssembly until we resolve that promise
+@@ -693,6 +698,21 @@ def has_jspi() -> bool:
+         return False
+def _is_node_js() -> bool:
+    """
+    Check if we are in Node.js.
+
+    :return: True if we are in Node.js.
+    :rtype: bool
+    """
+    return (
+        hasattr(js, "process")
+        and hasattr(js.process, "release")
+        # According to the Node.js documentation, the release name is always "node".
+        and js.process.release.name == "node"
+    )
+
+
+ def streaming_ready() -> bool | None:
+     if _fetcher:
+         return _fetcher.streaming_ready
+diff --git a/test/contrib/emscripten/test_emscripten.py b/test/contrib/emscripten/test_emscripten.py
+index 5eaa674..fbf89fc 100644
+--- a/test/contrib/emscripten/test_emscripten.py
+++ b/test/contrib/emscripten/test_emscripten.py
+@@ -960,6 +960,52 @@ def test_redirects(
+     )
+@pytest.mark.with_jspi
+def test_disabled_redirects(
+    selenium_coverage: typing.Any, testserver_http: PyodideServerInfo
+) -> None:
+    """
+    Test that urllib3 can control redirects in Node.js.
+    """
+
+    @run_in_pyodide  # type: ignore[misc]
+    def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) -> None:
+        import pytest
+
+        from urllib3 import PoolManager, request
+        from urllib3.contrib.emscripten.fetch import _is_node_js
+        from urllib3.exceptions import MaxRetryError
+
+        if not _is_node_js():
+            pytest.skip("urllib3 does not control redirects in browsers.")
+
+        redirect_url = f"http://{host}:{port}/redirect"
+
+        with PoolManager(retries=0) as http:
+            with pytest.raises(MaxRetryError):
+                http.request("GET", redirect_url)
+
+            response = http.request("GET", redirect_url, redirect=False)
+            assert response.status == 303
+
+        with PoolManager(retries=False) as http:
+            response = http.request("GET", redirect_url)
+            assert response.status == 303
+
+        with pytest.raises(MaxRetryError):
+            request("GET", redirect_url, retries=0)
+
+        response = request("GET", redirect_url, redirect=False)
+        assert response.status == 303
+
+        response = request("GET", redirect_url, retries=0, redirect=False)
+        assert response.status == 303
+
+    pyodide_test(
+        selenium_coverage, testserver_http.http_host, testserver_http.http_port
+    )
+
+
+ def test_insecure_requests_warning(
+     selenium_coverage: typing.Any, testserver_http: PyodideServerInfo
+ ) -> None:
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb b/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb
index 218a226431..c5e3751255 100644
--- a/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb
@@ -9,6 +9,7 @@ inherit pypi python_hatchling
 SRC_URI += " \
    file://CVE-2025-50181.patch \
+    file://CVE-2025-50182.patch \
 "
 DEPENDS += " \
author	Yogita Urade <yogita.urade@windriver.com>	2025-06-26 17:24:59 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-04 07:50:16 -0700
commit	0372024fe7ab2cea5eddf686f9bee0f8f07a2000 (patch)
tree	e15c57c50b24dfbb7905bcceb3cb29a5988b648e /meta/recipes-devtools/python
parent	7994e190182c1cf8f1bfa5b58722849b695288ad (diff)
download	poky-0372024fe7ab2cea5eddf686f9bee0f8f07a2000.tar.gz

diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch new file mode 100644 index 0000000000..2f6ba478d5 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch
@@ -0,0 +1,125 @@
		1	From 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f Mon Sep 17 00:00:00 2001
		2	From: Illia Volochii <illia.volochii@gmail.com>
		3	Date: Wed, 18 Jun 2025 16:30:35 +0300
		4	Subject: [PATCH] Merge commit from fork
		5
		6	CVE: CVE-2025-50182
		7	Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f]
		8
		9	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		10	---
		11	docs/reference/contrib/emscripten.rst \| 2 +-
		12	src/urllib3/contrib/emscripten/fetch.py \| 20 ++++++++++
		13	test/contrib/emscripten/test_emscripten.py \| 46 ++++++++++++++++++++++
		14	3 files changed, 67 insertions(+), 1 deletion(-)
		15
		16	diff --git a/docs/reference/contrib/emscripten.rst b/docs/reference/contrib/emscripten.rst
		17	index a8f1cda..4670757 100644
		18	--- a/docs/reference/contrib/emscripten.rst
		19	+++ b/docs/reference/contrib/emscripten.rst
		20	@@ -65,7 +65,7 @@ Features which are usable with Emscripten support are:
		21	* Timeouts
		22	* Retries
		23	* Streaming (with Web Workers and Cross-Origin Isolation)
		24	-* Redirects (determined by browser/runtime, not restrictable with urllib3)
		25	+* Redirects (urllib3 controls redirects in Node.js but not in browsers where behavior is determined by runtime)
		26	* Decompressing response bodies
		27
		28	Features which don't work with Emscripten:
		29	diff --git a/src/urllib3/contrib/emscripten/fetch.py b/src/urllib3/contrib/emscripten/fetch.py
		30	index a514306..6695821 100644
		31	--- a/src/urllib3/contrib/emscripten/fetch.py
		32	+++ b/src/urllib3/contrib/emscripten/fetch.py
		33	@@ -573,6 +573,11 @@ def send_jspi_request(
		34	"method": request.method,
		35	"signal": js_abort_controller.signal,
		36	}
		37	+ # Node.js returns the whole response (unlike opaqueredirect in browsers),
		38	+ # so urllib3 can set `redirect: manual` to control redirects itself.
		39	+ # https://stackoverflow.com/a/78524615
		40	+ if _is_node_js():
		41	+ fetch_data["redirect"] = "manual"
		42	# Call JavaScript fetch (async api, returns a promise)
		43	fetcher_promise_js = js.fetch(request.url, _obj_from_dict(fetch_data))
		44	# Now suspend WebAssembly until we resolve that promise
		45	@@ -693,6 +698,21 @@ def has_jspi() -> bool:
		46	return False
		47
		48
		49	+def _is_node_js() -> bool:
		50	+ """
		51	+ Check if we are in Node.js.
		52	+
		53	+ :return: True if we are in Node.js.
		54	+ :rtype: bool
		55	+ """
		56	+ return (
		57	+ hasattr(js, "process")
		58	+ and hasattr(js.process, "release")
		59	+ # According to the Node.js documentation, the release name is always "node".
		60	+ and js.process.release.name == "node"
		61	+ )
		62	+
		63	+
		64	def streaming_ready() -> bool \| None:
		65	if _fetcher:
		66	return _fetcher.streaming_ready
		67	diff --git a/test/contrib/emscripten/test_emscripten.py b/test/contrib/emscripten/test_emscripten.py
		68	index 5eaa674..fbf89fc 100644
		69	--- a/test/contrib/emscripten/test_emscripten.py
		70	+++ b/test/contrib/emscripten/test_emscripten.py
		71	@@ -960,6 +960,52 @@ def test_redirects(
		72	)
		73
		74
		75	+@pytest.mark.with_jspi
		76	+def test_disabled_redirects(
		77	+ selenium_coverage: typing.Any, testserver_http: PyodideServerInfo
		78	+) -> None:
		79	+ """
		80	+ Test that urllib3 can control redirects in Node.js.
		81	+ """
		82	+
		83	+ @run_in_pyodide # type: ignore[misc]
		84	+ def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) -> None:
		85	+ import pytest
		86	+
		87	+ from urllib3 import PoolManager, request
		88	+ from urllib3.contrib.emscripten.fetch import _is_node_js
		89	+ from urllib3.exceptions import MaxRetryError
		90	+
		91	+ if not _is_node_js():
		92	+ pytest.skip("urllib3 does not control redirects in browsers.")
		93	+
		94	+ redirect_url = f"http://{host}:{port}/redirect"
		95	+
		96	+ with PoolManager(retries=0) as http:
		97	+ with pytest.raises(MaxRetryError):
		98	+ http.request("GET", redirect_url)
		99	+
		100	+ response = http.request("GET", redirect_url, redirect=False)
		101	+ assert response.status == 303
		102	+
		103	+ with PoolManager(retries=False) as http:
		104	+ response = http.request("GET", redirect_url)
		105	+ assert response.status == 303
		106	+
		107	+ with pytest.raises(MaxRetryError):
		108	+ request("GET", redirect_url, retries=0)
		109	+
		110	+ response = request("GET", redirect_url, redirect=False)
		111	+ assert response.status == 303
		112	+
		113	+ response = request("GET", redirect_url, retries=0, redirect=False)
		114	+ assert response.status == 303
		115	+
		116	+ pyodide_test(
		117	+ selenium_coverage, testserver_http.http_host, testserver_http.http_port
		118	+ )
		119	+
		120	+
		121	def test_insecure_requests_warning(
		122	selenium_coverage: typing.Any, testserver_http: PyodideServerInfo
		123	) -> None:
		124	--
		125	2.40.0


diff --git a/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb b/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb index 218a226431..c5e3751255 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.3.0.bb
@@ -9,6 +9,7 @@ inherit pypi python_hatchling
9		9
10	SRC_URI += " \	10	SRC_URI += " \
11	file://CVE-2025-50181.patch \	11	file://CVE-2025-50181.patch \
		12	file://CVE-2025-50182.patch \
12	"	13	"
13		14
14	DEPENDS += " \	15	DEPENDS += " \