2 files changed, 218 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
new file mode 100644
index 0000000000..61bdcc3e62
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
@@ -0,0 +1,214 @@
+From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 18 Jun 2025 16:25:01 +0300
+Subject: [PATCH] Merge commit from fork
+* Apply Quentin's suggestion
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+* Add tests for disabled redirects in the pool manager
+* Add a possible fix for the issue with not raised `MaxRetryError`
+* Make urllib3 handle redirects instead of JS when JSPI is used
+* Fix info in the new comment
+* State that redirects with XHR are not controlled by urllib3
+* Remove excessive params from new test requests
+* Add tests reaching max non-0 redirects
+* Test redirects with Emscripten
+* Fix `test_merge_pool_kwargs`
+* Add a changelog entry
+* Parametrize tests
+* Drop a fix for Emscripten
+* Apply Seth's suggestion to docs
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+* Use a minor release instead of the patch one
+---------
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+Changes:
+- skip docs/reference/contrib/emscripten.rst, dummyserver/app.py and
+test/contrib/emscripten/test_emscripten.py files which are not presented.
+CVE: CVE-2025-50181
+Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/urllib3/poolmanager.py                |  18 +++-
+ test/with_dummyserver/test_poolmanager.py | 101 ++++++++++++++++++++++
+ 2 files changed, 118 insertions(+), 1 deletion(-)
+diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
+index fb51bf7..a8de7c6 100644
+--- a/src/urllib3/poolmanager.py
+++ b/src/urllib3/poolmanager.py
+@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
+        if "retries" in connection_pool_kw:
+            retries = connection_pool_kw["retries"]
+            if not isinstance(retries, Retry):
+                # When Retry is initialized, raise_on_redirect is based
+                # on a redirect boolean value.
+                # But requests made via a pool manager always set
+                # redirect to False, and raise_on_redirect always ends
+                # up being False consequently.
+                # Here we fix the issue by setting raise_on_redirect to
+                # a value needed by the pool manager without considering
+                # the redirect boolean.
+                raise_on_redirect = retries is not False
+                retries = Retry.from_int(retries, redirect=False)
+                retries.raise_on_redirect = raise_on_redirect
+                connection_pool_kw = connection_pool_kw.copy()
+                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools)
+@@ -389,7 +405,7 @@ class PoolManager(RequestMethods):
+             kw["body"] = None
+             kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+-        retries = kw.get("retries")
+        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index 509daf2..f84f169 100644
+--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
+@@ -82,6 +82,89 @@ class TestPoolManager(HTTPDummyServerTestCase):
+             assert r.status == 200
+             assert r.data == b"Dummy server!"
+    @pytest.mark.parametrize(
+        "retries",
+        (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)),
+    )
+    def test_redirects_disabled_for_pool_manager_with_0(
+        self, retries: typing.Literal[0] | Retry
+    ) -> None:
+        """
+        Check handling redirects when retries is set to 0 on the pool
+        manager.
+        """
+        with PoolManager(retries=retries) as http:
+            with pytest.raises(MaxRetryError):
+                http.request("GET", f"{self.base_url}/redirect")
+
+            # Setting redirect=True should not change the behavior.
+            with pytest.raises(MaxRetryError):
+                http.request("GET", f"{self.base_url}/redirect", redirect=True)
+
+            # Setting redirect=False should not make it follow the redirect,
+            # but MaxRetryError should not be raised.
+            response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
+            assert response.status == 303
+
+    @pytest.mark.parametrize(
+        "retries",
+        (
+            False,
+            Retry(total=False),
+            Retry(redirect=False),
+            Retry(total=False, redirect=False),
+        ),
+    )
+    def test_redirects_disabled_for_pool_manager_with_false(
+        self, retries: typing.Literal[False] | Retry
+    ) -> None:
+        """
+        Check that setting retries set to False on the pool manager disables
+        raising MaxRetryError and redirect=True does not change the
+        behavior.
+        """
+        with PoolManager(retries=retries) as http:
+            response = http.request("GET", f"{self.base_url}/redirect")
+            assert response.status == 303
+
+            response = http.request("GET", f"{self.base_url}/redirect", redirect=True)
+            assert response.status == 303
+
+            response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
+            assert response.status == 303
+
+    def test_redirects_disabled_for_individual_request(self) -> None:
+        """
+        Check handling redirects when they are meant to be disabled
+        on the request level.
+        """
+        with PoolManager() as http:
+            # Check when redirect is not passed.
+            with pytest.raises(MaxRetryError):
+                http.request("GET", f"{self.base_url}/redirect", retries=0)
+            response = http.request("GET", f"{self.base_url}/redirect", retries=False)
+            assert response.status == 303
+
+            # Check when redirect=True.
+            with pytest.raises(MaxRetryError):
+                http.request(
+                    "GET", f"{self.base_url}/redirect", retries=0, redirect=True
+                )
+            response = http.request(
+                "GET", f"{self.base_url}/redirect", retries=False, redirect=True
+            )
+            assert response.status == 303
+
+            # Check when redirect=False.
+            response = http.request(
+                "GET", f"{self.base_url}/redirect", retries=0, redirect=False
+            )
+            assert response.status == 303
+            response = http.request(
+                "GET", f"{self.base_url}/redirect", retries=False, redirect=False
+            )
+            assert response.status == 303
+
+     def test_cross_host_redirect(self):
+         with PoolManager() as http:
+             cross_host_location = "%s/echo?a=b" % self.base_url_alt
+@@ -136,6 +219,24 @@ class TestPoolManager(HTTPDummyServerTestCase):
+             pool = http.connection_from_host(self.host, self.port)
+             assert pool.num_connections == 1
+        # Check when retries are configured for the pool manager.
+        with PoolManager(retries=1) as http:
+            with pytest.raises(MaxRetryError):
+                http.request(
+                    "GET",
+                    f"{self.base_url}/redirect",
+                    fields={"target": f"/redirect?target={self.base_url}/"},
+                )
+
+            # Here we allow more retries for the request.
+            response = http.request(
+                "GET",
+                f"{self.base_url}/redirect",
+                fields={"target": f"/redirect?target={self.base_url}/"},
+                retries=2,
+            )
+            assert response.status == 200
+
+     def test_redirect_cross_host_remove_headers(self):
+         with PoolManager() as http:
+             r = http.request(
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
index d384b5eb2f..b26c9ad2fa 100644
--- a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
@@ -7,6 +7,10 @@ SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e32
 inherit pypi setuptools3
+SRC_URI += " \
+    file://CVE-2025-50181.patch \
+"
 RDEPENDS:${PN} += "\
    ${PYTHON_PN}-certifi \
    ${PYTHON_PN}-cryptography \

diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch new file mode 100644 index 0000000000..61bdcc3e62 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
@@ -0,0 +1,214 @@
		1	From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001
		2	From: Illia Volochii <illia.volochii@gmail.com>
		3	Date: Wed, 18 Jun 2025 16:25:01 +0300
		4	Subject: [PATCH] Merge commit from fork
		5
		6	* Apply Quentin's suggestion
		7
		8	Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
		9
		10	* Add tests for disabled redirects in the pool manager
		11
		12	* Add a possible fix for the issue with not raised `MaxRetryError`
		13
		14	* Make urllib3 handle redirects instead of JS when JSPI is used
		15
		16	* Fix info in the new comment
		17
		18	* State that redirects with XHR are not controlled by urllib3
		19
		20	* Remove excessive params from new test requests
		21
		22	* Add tests reaching max non-0 redirects
		23
		24	* Test redirects with Emscripten
		25
		26	* Fix `test_merge_pool_kwargs`
		27
		28	* Add a changelog entry
		29
		30	* Parametrize tests
		31
		32	* Drop a fix for Emscripten
		33
		34	* Apply Seth's suggestion to docs
		35
		36	Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
		37
		38	* Use a minor release instead of the patch one
		39
		40	---------
		41
		42	Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
		43	Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
		44
		45	Changes:
		46	- skip docs/reference/contrib/emscripten.rst, dummyserver/app.py and
		47	test/contrib/emscripten/test_emscripten.py files which are not presented.
		48
		49	CVE: CVE-2025-50181
		50	Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857]
		51
		52	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		53	---
		54	src/urllib3/poolmanager.py \| 18 +++-
		55	test/with_dummyserver/test_poolmanager.py \| 101 ++++++++++++++++++++++
		56	2 files changed, 118 insertions(+), 1 deletion(-)
		57
		58	diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
		59	index fb51bf7..a8de7c6 100644
		60	--- a/src/urllib3/poolmanager.py
		61	+++ b/src/urllib3/poolmanager.py
		62	@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
		63
		64	def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
		65	RequestMethods.__init__(self, headers)
		66	+ if "retries" in connection_pool_kw:
		67	+ retries = connection_pool_kw["retries"]
		68	+ if not isinstance(retries, Retry):
		69	+ # When Retry is initialized, raise_on_redirect is based
		70	+ # on a redirect boolean value.
		71	+ # But requests made via a pool manager always set
		72	+ # redirect to False, and raise_on_redirect always ends
		73	+ # up being False consequently.
		74	+ # Here we fix the issue by setting raise_on_redirect to
		75	+ # a value needed by the pool manager without considering
		76	+ # the redirect boolean.
		77	+ raise_on_redirect = retries is not False
		78	+ retries = Retry.from_int(retries, redirect=False)
		79	+ retries.raise_on_redirect = raise_on_redirect
		80	+ connection_pool_kw = connection_pool_kw.copy()
		81	+ connection_pool_kw["retries"] = retries
		82	self.connection_pool_kw = connection_pool_kw
		83	self.pools = RecentlyUsedContainer(num_pools)
		84
		85	@@ -389,7 +405,7 @@ class PoolManager(RequestMethods):
		86	kw["body"] = None
		87	kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
		88
		89	- retries = kw.get("retries")
		90	+ retries = kw.get("retries", response.retries)
		91	if not isinstance(retries, Retry):
		92	retries = Retry.from_int(retries, redirect=redirect)
		93
		94	diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
		95	index 509daf2..f84f169 100644
		96	--- a/test/with_dummyserver/test_poolmanager.py
		97	+++ b/test/with_dummyserver/test_poolmanager.py
		98	@@ -82,6 +82,89 @@ class TestPoolManager(HTTPDummyServerTestCase):
		99	assert r.status == 200
		100	assert r.data == b"Dummy server!"
		101
		102	+ @pytest.mark.parametrize(
		103	+ "retries",
		104	+ (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)),
		105	+ )
		106	+ def test_redirects_disabled_for_pool_manager_with_0(
		107	+ self, retries: typing.Literal[0] \| Retry
		108	+ ) -> None:
		109	+ """
		110	+ Check handling redirects when retries is set to 0 on the pool
		111	+ manager.
		112	+ """
		113	+ with PoolManager(retries=retries) as http:
		114	+ with pytest.raises(MaxRetryError):
		115	+ http.request("GET", f"{self.base_url}/redirect")
		116	+
		117	+ # Setting redirect=True should not change the behavior.
		118	+ with pytest.raises(MaxRetryError):
		119	+ http.request("GET", f"{self.base_url}/redirect", redirect=True)
		120	+
		121	+ # Setting redirect=False should not make it follow the redirect,
		122	+ # but MaxRetryError should not be raised.
		123	+ response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
		124	+ assert response.status == 303
		125	+
		126	+ @pytest.mark.parametrize(
		127	+ "retries",
		128	+ (
		129	+ False,
		130	+ Retry(total=False),
		131	+ Retry(redirect=False),
		132	+ Retry(total=False, redirect=False),
		133	+ ),
		134	+ )
		135	+ def test_redirects_disabled_for_pool_manager_with_false(
		136	+ self, retries: typing.Literal[False] \| Retry
		137	+ ) -> None:
		138	+ """
		139	+ Check that setting retries set to False on the pool manager disables
		140	+ raising MaxRetryError and redirect=True does not change the
		141	+ behavior.
		142	+ """
		143	+ with PoolManager(retries=retries) as http:
		144	+ response = http.request("GET", f"{self.base_url}/redirect")
		145	+ assert response.status == 303
		146	+
		147	+ response = http.request("GET", f"{self.base_url}/redirect", redirect=True)
		148	+ assert response.status == 303
		149	+
		150	+ response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
		151	+ assert response.status == 303
		152	+
		153	+ def test_redirects_disabled_for_individual_request(self) -> None:
		154	+ """
		155	+ Check handling redirects when they are meant to be disabled
		156	+ on the request level.
		157	+ """
		158	+ with PoolManager() as http:
		159	+ # Check when redirect is not passed.
		160	+ with pytest.raises(MaxRetryError):
		161	+ http.request("GET", f"{self.base_url}/redirect", retries=0)
		162	+ response = http.request("GET", f"{self.base_url}/redirect", retries=False)
		163	+ assert response.status == 303
		164	+
		165	+ # Check when redirect=True.
		166	+ with pytest.raises(MaxRetryError):
		167	+ http.request(
		168	+ "GET", f"{self.base_url}/redirect", retries=0, redirect=True
		169	+ )
		170	+ response = http.request(
		171	+ "GET", f"{self.base_url}/redirect", retries=False, redirect=True
		172	+ )
		173	+ assert response.status == 303
		174	+
		175	+ # Check when redirect=False.
		176	+ response = http.request(
		177	+ "GET", f"{self.base_url}/redirect", retries=0, redirect=False
		178	+ )
		179	+ assert response.status == 303
		180	+ response = http.request(
		181	+ "GET", f"{self.base_url}/redirect", retries=False, redirect=False
		182	+ )
		183	+ assert response.status == 303
		184	+
		185	def test_cross_host_redirect(self):
		186	with PoolManager() as http:
		187	cross_host_location = "%s/echo?a=b" % self.base_url_alt
		188	@@ -136,6 +219,24 @@ class TestPoolManager(HTTPDummyServerTestCase):
		189	pool = http.connection_from_host(self.host, self.port)
		190	assert pool.num_connections == 1
		191
		192	+ # Check when retries are configured for the pool manager.
		193	+ with PoolManager(retries=1) as http:
		194	+ with pytest.raises(MaxRetryError):
		195	+ http.request(
		196	+ "GET",
		197	+ f"{self.base_url}/redirect",
		198	+ fields={"target": f"/redirect?target={self.base_url}/"},
		199	+ )
		200	+
		201	+ # Here we allow more retries for the request.
		202	+ response = http.request(
		203	+ "GET",
		204	+ f"{self.base_url}/redirect",
		205	+ fields={"target": f"/redirect?target={self.base_url}/"},
		206	+ retries=2,
		207	+ )
		208	+ assert response.status == 200
		209	+
		210	def test_redirect_cross_host_remove_headers(self):
		211	with PoolManager() as http:
		212	r = http.request(
		213	--
		214	2.40.0


diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb index d384b5eb2f..b26c9ad2fa 100644 --- a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb +++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
@@ -7,6 +7,10 @@ SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e32
7		7
8	inherit pypi setuptools3	8	inherit pypi setuptools3
9		9
		10	SRC_URI += " \
		11	file://CVE-2025-50181.patch \
		12	"
		13
10	RDEPENDS:${PN} += "\	14	RDEPENDS:${PN} += "\
11	${PYTHON_PN}-certifi \	15	${PYTHON_PN}-certifi \
12	${PYTHON_PN}-cryptography \	16	${PYTHON_PN}-cryptography \