|
 |
a80022 |
From 960c01adce491de00ef7a8d02a32fea31b15a1dc Mon Sep 17 00:00:00 2001
|
|
|
a80022 |
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
|
|
|
a80022 |
Date: Fri, 2 Apr 2021 02:39:11 +0200
|
|
|
a80022 |
Subject: [PATCH] Update urllib3 to 1.26.4 to fix CVE-2021-28363
|
|
|
a80022 |
|
|
|
a80022 |
---
|
|
|
a80022 |
news/CVE-2021-28363.vendor.rst | 1 +
|
|
|
a80022 |
src/pip/_vendor/urllib3/_version.py | 2 +-
|
|
|
a80022 |
src/pip/_vendor/urllib3/connection.py | 8 ++++++--
|
|
|
a80022 |
src/pip/_vendor/urllib3/exceptions.py | 12 +++++++++++-
|
|
|
a80022 |
src/pip/_vendor/urllib3/util/retry.py | 1 +
|
|
|
a80022 |
src/pip/_vendor/vendor.txt | 2 +-
|
|
|
a80022 |
6 files changed, 21 insertions(+), 5 deletions(-)
|
|
|
a80022 |
create mode 100644 news/CVE-2021-28363.vendor.rst
|
|
|
a80022 |
|
|
|
a80022 |
diff --git a/news/CVE-2021-28363.vendor.rst b/news/CVE-2021-28363.vendor.rst
|
|
|
a80022 |
new file mode 100644
|
|
|
a80022 |
index 00000000000..29700ab7469
|
|
|
a80022 |
--- /dev/null
|
|
|
a80022 |
+++ b/news/CVE-2021-28363.vendor.rst
|
|
|
a80022 |
@@ -0,0 +1 @@
|
|
|
a80022 |
+Update urllib3 to 1.26.4 to fix CVE-2021-28363
|
|
|
a80022 |
diff --git a/src/pip/_vendor/urllib3/_version.py b/src/pip/_vendor/urllib3/_version.py
|
|
|
a80022 |
index 2dba29e3fbe..97c983300b0 100644
|
|
|
a80022 |
--- a/src/pip/_vendor/urllib3/_version.py
|
|
|
a80022 |
+++ b/src/pip/_vendor/urllib3/_version.py
|
|
|
a80022 |
@@ -1,2 +1,2 @@
|
|
|
a80022 |
# This file is protected via CODEOWNERS
|
|
|
a80022 |
-__version__ = "1.26.2"
|
|
|
a80022 |
+__version__ = "1.26.4"
|
|
|
a80022 |
diff --git a/src/pip/_vendor/urllib3/connection.py b/src/pip/_vendor/urllib3/connection.py
|
|
|
a80022 |
index 660d679c361..45580b7e1ea 100644
|
|
|
a80022 |
--- a/src/pip/_vendor/urllib3/connection.py
|
|
|
a80022 |
+++ b/src/pip/_vendor/urllib3/connection.py
|
|
|
a80022 |
@@ -67,7 +67,7 @@ class BrokenPipeError(Exception):
|
|
|
a80022 |
|
|
|
a80022 |
# When it comes time to update this value as a part of regular maintenance
|
|
|
a80022 |
# (ie test_recent_date is failing) update it to ~6 months before the current date.
|
|
|
a80022 |
-RECENT_DATE = datetime.date(2019, 1, 1)
|
|
|
a80022 |
+RECENT_DATE = datetime.date(2020, 7, 1)
|
|
|
a80022 |
|
|
|
a80022 |
_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
|
|
|
a80022 |
|
|
|
a80022 |
@@ -215,7 +215,7 @@ def putrequest(self, method, url, *args, **kwargs):
|
|
|
a80022 |
|
|
|
a80022 |
def putheader(self, header, *values):
|
|
|
a80022 |
""""""
|
|
|
a80022 |
- if SKIP_HEADER not in values:
|
|
|
a80022 |
+ if not any(isinstance(v, str) and v == SKIP_HEADER for v in values):
|
|
|
a80022 |
_HTTPConnection.putheader(self, header, *values)
|
|
|
a80022 |
elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS:
|
|
|
a80022 |
raise ValueError(
|
|
|
a80022 |
@@ -490,6 +490,10 @@ def _connect_tls_proxy(self, hostname, conn):
|
|
|
a80022 |
self.ca_cert_dir,
|
|
|
a80022 |
self.ca_cert_data,
|
|
|
a80022 |
)
|
|
|
a80022 |
+ # By default urllib3's SSLContext disables `check_hostname` and uses
|
|
|
a80022 |
+ # a custom check. For proxies we're good with relying on the default
|
|
|
a80022 |
+ # verification.
|
|
|
a80022 |
+ ssl_context.check_hostname = True
|
|
|
a80022 |
|
|
|
a80022 |
# If no cert was provided, use only the default options for server
|
|
|
a80022 |
# certificate validation
|
|
|
a80022 |
diff --git a/src/pip/_vendor/urllib3/exceptions.py b/src/pip/_vendor/urllib3/exceptions.py
|
|
|
a80022 |
index d69958d5dfc..cba6f3f560f 100644
|
|
|
a80022 |
--- a/src/pip/_vendor/urllib3/exceptions.py
|
|
|
a80022 |
+++ b/src/pip/_vendor/urllib3/exceptions.py
|
|
|
a80022 |
@@ -289,7 +289,17 @@ class ProxySchemeUnknown(AssertionError, URLSchemeUnknown):
|
|
|
a80022 |
# TODO(t-8ch): Stop inheriting from AssertionError in v2.0.
|
|
|
a80022 |
|
|
|
a80022 |
def __init__(self, scheme):
|
|
|
a80022 |
- message = "Not supported proxy scheme %s" % scheme
|
|
|
a80022 |
+ # 'localhost' is here because our URL parser parses
|
|
|
a80022 |
+ # localhost:8080 -> scheme=localhost, remove if we fix this.
|
|
|
a80022 |
+ if scheme == "localhost":
|
|
|
a80022 |
+ scheme = None
|
|
|
a80022 |
+ if scheme is None:
|
|
|
a80022 |
+ message = "Proxy URL had no scheme, should start with http:// or https://"
|
|
|
a80022 |
+ else:
|
|
|
a80022 |
+ message = (
|
|
|
a80022 |
+ "Proxy URL had unsupported scheme %s, should use http:// or https://"
|
|
|
a80022 |
+ % scheme
|
|
|
a80022 |
+ )
|
|
|
a80022 |
super(ProxySchemeUnknown, self).__init__(message)
|
|
|
a80022 |
|
|
|
a80022 |
|
|
|
a80022 |
diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
|
|
|
a80022 |
index ee51f922f84..d25a41b42ea 100644
|
|
|
a80022 |
--- a/src/pip/_vendor/urllib3/util/retry.py
|
|
|
a80022 |
+++ b/src/pip/_vendor/urllib3/util/retry.py
|
|
|
a80022 |
@@ -253,6 +253,7 @@ def __init__(
|
|
|
a80022 |
"Using 'method_whitelist' with Retry is deprecated and "
|
|
|
a80022 |
"will be removed in v2.0. Use 'allowed_methods' instead",
|
|
|
a80022 |
DeprecationWarning,
|
|
|
a80022 |
+ stacklevel=2,
|
|
|
a80022 |
)
|
|
|
a80022 |
allowed_methods = method_whitelist
|
|
|
a80022 |
if allowed_methods is _Default:
|
|
|
a80022 |
diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
|
|
|
a80022 |
index 51a5508479e..868baba6f01 100644
|
|
|
a80022 |
--- a/src/pip/_vendor/vendor.txt
|
|
|
a80022 |
+++ b/src/pip/_vendor/vendor.txt
|
|
|
a80022 |
@@ -13,7 +13,7 @@ requests==2.25.1
|
|
|
a80022 |
certifi==2020.12.05
|
|
|
a80022 |
chardet==4.0.0
|
|
|
a80022 |
idna==2.10
|
|
|
a80022 |
- urllib3==1.26.2
|
|
|
a80022 |
+ urllib3==1.26.4
|
|
|
a80022 |
resolvelib==0.5.4
|
|
|
a80022 |
retrying==1.3.3
|
|
|
a80022 |
setuptools==44.0.0
|