diff --git a/SOURCES/fix-CVE-2018-18074.patch b/SOURCES/fix-CVE-2018-18074.patch new file mode 100644 index 0000000..c75cada --- /dev/null +++ b/SOURCES/fix-CVE-2018-18074.patch @@ -0,0 +1,77 @@ +diff --git a/requests/sessions.py b/requests/sessions.py +index ef3f22b..a0a23ee 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -89,6 +89,23 @@ def merge_hooks(request_hooks, session_hooks, dict_class=OrderedDict): + + + class SessionRedirectMixin(object): ++ ++ def should_strip_auth(self, old_url, new_url): ++ """Decide whether Authorization header should be removed when redirecting""" ++ old_parsed = urlparse(old_url) ++ new_parsed = urlparse(new_url) ++ if old_parsed.hostname != new_parsed.hostname: ++ return True ++ # Special case: allow http -> https redirect when using the standard ++ # ports. This isn't specified by RFC 7235, but is kept to avoid ++ # breaking backwards compatibility with older versions of requests ++ # that allowed any redirects on the same host. ++ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None) ++ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)): ++ return False ++ # Standard case: root URI must match ++ return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme ++ + def resolve_redirects(self, resp, req, stream=False, timeout=None, + verify=True, cert=None, proxies=None): + """Receives a Response. Returns a generator of Responses.""" +@@ -209,14 +226,10 @@ class SessionRedirectMixin(object): + headers = prepared_request.headers + url = prepared_request.url + +- if 'Authorization' in headers: ++ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url): + # If we get redirected to a new host, we should strip out any + # authentication headers. +- original_parsed = urlparse(response.request.url) +- redirect_parsed = urlparse(url) +- +- if (original_parsed.hostname != redirect_parsed.hostname): +- del headers['Authorization'] ++ del headers['Authorization'] + + # .netrc might have more auth for us on our new host. + new_auth = get_netrc_auth(url) if self.trust_env else None +diff --git a/test_requests.py b/test_requests.py +index 15406a2..e19b436 100755 +--- a/test_requests.py ++++ b/test_requests.py +@@ -991,6 +991,27 @@ class RequestsTestCase(unittest.TestCase): + + assert h1 == h2 + ++ def test_should_strip_auth_host_change(self): ++ s = requests.Session() ++ assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/') ++ ++ def test_should_strip_auth_http_downgrade(self): ++ s = requests.Session() ++ assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar') ++ ++ def test_should_strip_auth_https_upgrade(self): ++ s = requests.Session() ++ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar') ++ assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar') ++ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar') ++ # Non-standard ports should trigger stripping ++ assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar') ++ assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar') ++ ++ def test_should_strip_auth_port_change(self): ++ s = requests.Session() ++ assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar') ++ + def test_manual_redirect_with_partial_body_read(self): + s = requests.Session() + r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True) diff --git a/SPECS/python-requests.spec b/SPECS/python-requests.spec index fe4acde..d571d0e 100644 --- a/SPECS/python-requests.spec +++ b/SPECS/python-requests.spec @@ -6,7 +6,7 @@ Name: python-requests Version: 2.6.0 -Release: 1%{?dist} +Release: 5%{?dist} Summary: HTTP library, written in Python, for human beings License: ASL 2.0 @@ -19,6 +19,10 @@ Patch0: python-requests-system-cert-bundle.patch # Remove an unnecessary reference to a bundled compat lib in urllib3 Patch1: python-requests-remove-nested-bundling-dep.patch +# Fix for CVE-2018-18074 +# Resolved upstream: https://github.com/requests/requests/pull/4718 +Patch2: fix-CVE-2018-18074.patch + BuildArch: noarch BuildRequires: python2-devel BuildRequires: python-chardet >= 2.2.1-1 @@ -33,6 +37,9 @@ BuildRequires: python-ordereddict >= 1.1 Requires: python-ordereddict >= 1.1 %endif +Provides: python2-requests = %{version}-%{release} +Obsoletes: python2-requests < %{version}-%{release} + %description Most existing Python modules for sending HTTP requests are extremely verbose and cumbersome. Python’s built-in urllib2 module provides most of the HTTP @@ -60,6 +67,7 @@ designed to make HTTP requests easy for developers. %patch0 -p1 %patch1 -p1 +%patch2 -p1 # Unbundle the certificate bundle from mozilla. rm -rf requests/cacert.pem @@ -81,7 +89,7 @@ rm -rf build/lib/requests/packages/urllib3 popd %endif -%{__python} setup.py build +%py2_build # Unbundle chardet and urllib3. rm -rf build/lib/requests/packages/chardet @@ -95,7 +103,7 @@ pushd %{py3dir} popd %endif -%{__python} setup.py install --skip-build --root $RPM_BUILD_ROOT +%py2_install ## The tests succeed if run locally, but fail in koji. ## They require an active network connection to query httpbin.org @@ -110,9 +118,9 @@ popd %files %defattr(-,root,root,-) %doc NOTICE LICENSE README.rst HISTORY.rst -%{python_sitelib}/*.egg-info -%dir %{python_sitelib}/requests -%{python_sitelib}/requests/* +%{python2_sitelib}/*.egg-info +%dir %{python2_sitelib}/requests +%{python2_sitelib}/requests/* %if 0%{?_with_python3} %files -n python3-requests @@ -121,13 +129,16 @@ popd %endif %changelog +* Mon Nov 26 2018 Charalampos Stratakis - 2.6.0-5 +- Fix CVE-2018-18074 +Resolves: rhbz#1647368 + * Wed Jun 03 2015 Matej Stuchlik - 2.6.0-1 - Update to 2.6.0 -Resolves: rhbz#1206465 +Resolves: rhbz#1214365 * Mon Jan 12 2015 Endi S. Dewata - 1.1.0-9 - Merged headers with different cases. -Resolves: rhbz#1206465 * Mon Jan 27 2014 Endi S. Dewata - 1.1.0-8 - Removed authentication header on redirect.