|
|
69f732 |
From c734f873270cf9ca414832423f7aad98443c379f Mon Sep 17 00:00:00 2001
|
|
|
69f732 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
69f732 |
Date: Thu, 9 Jan 2020 11:26:24 +0100
|
|
|
69f732 |
Subject: [PATCH] CVE-2018-20060
|
|
|
69f732 |
|
|
|
69f732 |
---
|
|
|
69f732 |
poolmanager.py | 11 ++++++++++-
|
|
|
69f732 |
util/retry.py | 12 +++++++++++-
|
|
|
69f732 |
2 files changed, 21 insertions(+), 2 deletions(-)
|
|
|
69f732 |
|
|
|
69f732 |
diff --git a/poolmanager.py b/poolmanager.py
|
|
|
69f732 |
index 4ae9174..bfa5115 100644
|
|
|
69f732 |
--- a/poolmanager.py
|
|
|
69f732 |
+++ b/poolmanager.py
|
|
|
69f732 |
@@ -312,8 +312,9 @@ class PoolManager(RequestMethods):
|
|
|
69f732 |
|
|
|
69f732 |
kw['assert_same_host'] = False
|
|
|
69f732 |
kw['redirect'] = False
|
|
|
69f732 |
+
|
|
|
69f732 |
if 'headers' not in kw:
|
|
|
69f732 |
- kw['headers'] = self.headers
|
|
|
69f732 |
+ kw['headers'] = self.headers.copy()
|
|
|
69f732 |
|
|
|
69f732 |
if self.proxy is not None and u.scheme == "http":
|
|
|
69f732 |
response = conn.urlopen(method, url, **kw)
|
|
|
69f732 |
@@ -335,6 +336,14 @@ class PoolManager(RequestMethods):
|
|
|
69f732 |
if not isinstance(retries, Retry):
|
|
|
69f732 |
retries = Retry.from_int(retries, redirect=redirect)
|
|
|
69f732 |
|
|
|
69f732 |
+ # Strip headers marked as unsafe to forward to the redirected location.
|
|
|
69f732 |
+ # Check remove_headers_on_redirect to avoid a potential network call within
|
|
|
69f732 |
+ # conn.is_same_host() which may use socket.gethostbyname() in the future.
|
|
|
69f732 |
+ if (retries.remove_headers_on_redirect
|
|
|
69f732 |
+ and not conn.is_same_host(redirect_location)):
|
|
|
69f732 |
+ for header in retries.remove_headers_on_redirect:
|
|
|
69f732 |
+ kw['headers'].pop(header, None)
|
|
|
69f732 |
+
|
|
|
69f732 |
try:
|
|
|
69f732 |
retries = retries.increment(method, url, response=response, _pool=conn)
|
|
|
69f732 |
except MaxRetryError:
|
|
|
69f732 |
diff --git a/util/retry.py b/util/retry.py
|
|
|
69f732 |
index c603cb4..0b83963 100644
|
|
|
69f732 |
--- a/util/retry.py
|
|
|
69f732 |
+++ b/util/retry.py
|
|
|
69f732 |
@@ -126,6 +126,11 @@ class Retry(object):
|
|
|
69f732 |
exhausted, to raise a MaxRetryError, or to return a response with a
|
|
|
69f732 |
response code in the 3xx range.
|
|
|
69f732 |
|
|
|
69f732 |
+ :param iterable remove_headers_on_redirect:
|
|
|
69f732 |
+ Sequence of headers to remove from the request when a response
|
|
|
69f732 |
+ indicating a redirect is returned before firing off the redirected
|
|
|
69f732 |
+ request
|
|
|
69f732 |
+
|
|
|
69f732 |
:param bool raise_on_status: Similar meaning to ``raise_on_redirect``:
|
|
|
69f732 |
whether we should raise an exception, or return a response,
|
|
|
69f732 |
if status falls in ``status_forcelist`` range and retries have
|
|
|
69f732 |
@@ -144,6 +149,8 @@ class Retry(object):
|
|
|
69f732 |
DEFAULT_METHOD_WHITELIST = frozenset([
|
|
|
69f732 |
'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
|
|
|
69f732 |
|
|
|
69f732 |
+ DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
|
|
|
69f732 |
+
|
|
|
69f732 |
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
|
|
|
69f732 |
|
|
|
69f732 |
#: Maximum backoff time.
|
|
|
69f732 |
@@ -152,7 +159,8 @@ class Retry(object):
|
|
|
69f732 |
def __init__(self, total=10, connect=None, read=None, redirect=None, status=None,
|
|
|
69f732 |
method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
|
|
|
69f732 |
backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
|
|
|
69f732 |
- history=None, respect_retry_after_header=True):
|
|
|
69f732 |
+ history=None, respect_retry_after_header=True,
|
|
|
69f732 |
+ remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
|
|
|
69f732 |
|
|
|
69f732 |
self.total = total
|
|
|
69f732 |
self.connect = connect
|
|
|
69f732 |
@@ -171,6 +179,7 @@ class Retry(object):
|
|
|
69f732 |
self.raise_on_status = raise_on_status
|
|
|
69f732 |
self.history = history or tuple()
|
|
|
69f732 |
self.respect_retry_after_header = respect_retry_after_header
|
|
|
69f732 |
+ self.remove_headers_on_redirect = remove_headers_on_redirect
|
|
|
69f732 |
|
|
|
69f732 |
def new(self, **kw):
|
|
|
69f732 |
params = dict(
|
|
|
69f732 |
@@ -182,6 +191,7 @@ class Retry(object):
|
|
|
69f732 |
raise_on_redirect=self.raise_on_redirect,
|
|
|
69f732 |
raise_on_status=self.raise_on_status,
|
|
|
69f732 |
history=self.history,
|
|
|
69f732 |
+ remove_headers_on_redirect=self.remove_headers_on_redirect,
|
|
|
69f732 |
)
|
|
|
69f732 |
params.update(kw)
|
|
|
69f732 |
return type(self)(**params)
|
|
|
69f732 |
--
|
|
|
69f732 |
2.24.1
|
|
|
69f732 |
|