From 960c01adce491de00ef7a8d02a32fea31b15a1dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 2 Apr 2021 02:39:11 +0200 Subject: [PATCH] Update urllib3 to 1.26.4 to fix CVE-2021-28363 --- news/CVE-2021-28363.vendor.rst | 1 + src/pip/_vendor/urllib3/_version.py | 2 +- src/pip/_vendor/urllib3/connection.py | 8 ++++++-- src/pip/_vendor/urllib3/exceptions.py | 12 +++++++++++- src/pip/_vendor/urllib3/util/retry.py | 1 + src/pip/_vendor/vendor.txt | 2 +- 6 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 news/CVE-2021-28363.vendor.rst diff --git a/news/CVE-2021-28363.vendor.rst b/news/CVE-2021-28363.vendor.rst new file mode 100644 index 00000000000..29700ab7469 --- /dev/null +++ b/news/CVE-2021-28363.vendor.rst @@ -0,0 +1 @@ +Update urllib3 to 1.26.4 to fix CVE-2021-28363 diff --git a/src/pip/_vendor/urllib3/_version.py b/src/pip/_vendor/urllib3/_version.py index 2dba29e3fbe..97c983300b0 100644 --- a/src/pip/_vendor/urllib3/_version.py +++ b/src/pip/_vendor/urllib3/_version.py @@ -1,2 +1,2 @@ # This file is protected via CODEOWNERS -__version__ = "1.26.2" +__version__ = "1.26.4" diff --git a/src/pip/_vendor/urllib3/connection.py b/src/pip/_vendor/urllib3/connection.py index 660d679c361..45580b7e1ea 100644 --- a/src/pip/_vendor/urllib3/connection.py +++ b/src/pip/_vendor/urllib3/connection.py @@ -67,7 +67,7 @@ class BrokenPipeError(Exception): # When it comes time to update this value as a part of regular maintenance # (ie test_recent_date is failing) update it to ~6 months before the current date. -RECENT_DATE = datetime.date(2019, 1, 1) +RECENT_DATE = datetime.date(2020, 7, 1) _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") @@ -215,7 +215,7 @@ def putrequest(self, method, url, *args, **kwargs): def putheader(self, header, *values): """""" - if SKIP_HEADER not in values: + if not any(isinstance(v, str) and v == SKIP_HEADER for v in values): _HTTPConnection.putheader(self, header, *values) elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS: raise ValueError( @@ -490,6 +490,10 @@ def _connect_tls_proxy(self, hostname, conn): self.ca_cert_dir, self.ca_cert_data, ) + # By default urllib3's SSLContext disables `check_hostname` and uses + # a custom check. For proxies we're good with relying on the default + # verification. + ssl_context.check_hostname = True # If no cert was provided, use only the default options for server # certificate validation diff --git a/src/pip/_vendor/urllib3/exceptions.py b/src/pip/_vendor/urllib3/exceptions.py index d69958d5dfc..cba6f3f560f 100644 --- a/src/pip/_vendor/urllib3/exceptions.py +++ b/src/pip/_vendor/urllib3/exceptions.py @@ -289,7 +289,17 @@ class ProxySchemeUnknown(AssertionError, URLSchemeUnknown): # TODO(t-8ch): Stop inheriting from AssertionError in v2.0. def __init__(self, scheme): - message = "Not supported proxy scheme %s" % scheme + # 'localhost' is here because our URL parser parses + # localhost:8080 -> scheme=localhost, remove if we fix this. + if scheme == "localhost": + scheme = None + if scheme is None: + message = "Proxy URL had no scheme, should start with http:// or https://" + else: + message = ( + "Proxy URL had unsupported scheme %s, should use http:// or https://" + % scheme + ) super(ProxySchemeUnknown, self).__init__(message) diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py index ee51f922f84..d25a41b42ea 100644 --- a/src/pip/_vendor/urllib3/util/retry.py +++ b/src/pip/_vendor/urllib3/util/retry.py @@ -253,6 +253,7 @@ def __init__( "Using 'method_whitelist' with Retry is deprecated and " "will be removed in v2.0. Use 'allowed_methods' instead", DeprecationWarning, + stacklevel=2, ) allowed_methods = method_whitelist if allowed_methods is _Default: diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt index 51a5508479e..868baba6f01 100644 --- a/src/pip/_vendor/vendor.txt +++ b/src/pip/_vendor/vendor.txt @@ -13,7 +13,7 @@ requests==2.25.1 certifi==2020.12.05 chardet==4.0.0 idna==2.10 - urllib3==1.26.2 + urllib3==1.26.4 resolvelib==0.5.4 retrying==1.3.3 setuptools==44.0.0