poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch - openbmc/openbmc - Gitiles

 From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001
 From: Nate Prewitt <nate.prewitt@gmail.com>
 Date: Mon, 5 Jun 2023 09:31:36 +0000
 Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q

 CVE: CVE-2023-32681

 Upstream-Status: Backport [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5]

 Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
 ---
  requests/sessions.py   |  4 +++-
  tests/test_requests.py | 20 ++++++++++++++++++++
  2 files changed, 23 insertions(+), 1 deletion(-)

 diff --git a/requests/sessions.py b/requests/sessions.py
 index 3f59cab..648cffa 100644
 --- a/requests/sessions.py
 +++ b/requests/sessions.py
 @@ -293,7 +293,9 @@ class SessionRedirectMixin(object):
          except KeyError:
              username, password = None, None

 -        if username and password:
 +        # urllib3 handles proxy authorization for us in the standard adapter.
 +        # Avoid appending this to TLS tunneled requests where it may be leaked.
 +        if not scheme.startswith('https') and username and password:
              headers['Proxy-Authorization'] = _basic_auth_str(username, password)

          return new_proxies
 diff --git a/tests/test_requests.py b/tests/test_requests.py
 index 29b3aca..6a37777 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
 @@ -601,6 +601,26 @@ class TestRequests:

          assert sent_headers.get("Proxy-Authorization") == proxy_auth_value

 +
 +    @pytest.mark.parametrize(
 +        "url,has_proxy_auth",
 +        (
 +            ('http://example.com', True),
 +            ('https://example.com', False),
 +        ),
 +    )
 +    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
 +        session = requests.Session()
 +        proxies = {
 +            'http': 'http://test:pass@localhost:8080',
 +            'https': 'http://test:pass@localhost:8090',
 +        }
 +        req = requests.Request('GET', url)
 +        prep = req.prepare()
 +        session.rebuild_proxies(prep, proxies)
 +
 +        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
 +
      def test_basicauth_with_netrc(self, httpbin):
          auth = ('user', 'pass')
          wrong_auth = ('wronguser', 'wrongpass')
 --
 2.40.0
	From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001
	From: Nate Prewitt <nate.prewitt@gmail.com>
	Date: Mon, 5 Jun 2023 09:31:36 +0000
	Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q

	CVE: CVE-2023-32681

	Upstream-Status: Backport [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5]

	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
	---
	requests/sessions.py \| 4 +++-
	tests/test_requests.py \| 20 ++++++++++++++++++++
	2 files changed, 23 insertions(+), 1 deletion(-)

	diff --git a/requests/sessions.py b/requests/sessions.py
	index 3f59cab..648cffa 100644
	--- a/requests/sessions.py
	+++ b/requests/sessions.py
	@@ -293,7 +293,9 @@ class SessionRedirectMixin(object):
	except KeyError:
	username, password = None, None

	- if username and password:
	+ # urllib3 handles proxy authorization for us in the standard adapter.
	+ # Avoid appending this to TLS tunneled requests where it may be leaked.
	+ if not scheme.startswith('https') and username and password:
	headers['Proxy-Authorization'] = _basic_auth_str(username, password)

	return new_proxies
	diff --git a/tests/test_requests.py b/tests/test_requests.py
	index 29b3aca..6a37777 100644
	--- a/tests/test_requests.py
	+++ b/tests/test_requests.py
	@@ -601,6 +601,26 @@ class TestRequests:

	assert sent_headers.get("Proxy-Authorization") == proxy_auth_value

	+
	+ @pytest.mark.parametrize(
	+ "url,has_proxy_auth",
	+ (
	+ ('http://example.com', True),
	+ ('https://example.com', False),
	+ ),
	+ )
	+ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
	+ session = requests.Session()
	+ proxies = {
	+ 'http': 'http://test:pass@localhost:8080',
	+ 'https': 'http://test:pass@localhost:8090',
	+ }
	+ req = requests.Request('GET', url)
	+ prep = req.prepare()
	+ session.rebuild_proxies(prep, proxies)
	+
	+ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
	+
	def test_basicauth_with_netrc(self, httpbin):
	auth = ('user', 'pass')
	wrong_auth = ('wronguser', 'wrongpass')
	--
	2.40.0