diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9c5afaa --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/requests-2.6.0.tar.gz diff --git a/.python-requests.metadata b/.python-requests.metadata new file mode 100644 index 0000000..d5441a8 --- /dev/null +++ b/.python-requests.metadata @@ -0,0 +1 @@ +ad7327c73e8be8c188ad489d511097202b1fef12 SOURCES/requests-2.6.0.tar.gz diff --git a/SOURCES/fix-CVE-2018-18074.patch b/SOURCES/fix-CVE-2018-18074.patch new file mode 100644 index 0000000..c75cada --- /dev/null +++ b/SOURCES/fix-CVE-2018-18074.patch @@ -0,0 +1,77 @@ +diff --git a/requests/sessions.py b/requests/sessions.py +index ef3f22b..a0a23ee 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -89,6 +89,23 @@ def merge_hooks(request_hooks, session_hooks, dict_class=OrderedDict): + + + class SessionRedirectMixin(object): ++ ++ def should_strip_auth(self, old_url, new_url): ++ """Decide whether Authorization header should be removed when redirecting""" ++ old_parsed = urlparse(old_url) ++ new_parsed = urlparse(new_url) ++ if old_parsed.hostname != new_parsed.hostname: ++ return True ++ # Special case: allow http -> https redirect when using the standard ++ # ports. This isn't specified by RFC 7235, but is kept to avoid ++ # breaking backwards compatibility with older versions of requests ++ # that allowed any redirects on the same host. ++ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None) ++ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)): ++ return False ++ # Standard case: root URI must match ++ return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme ++ + def resolve_redirects(self, resp, req, stream=False, timeout=None, + verify=True, cert=None, proxies=None): + """Receives a Response. Returns a generator of Responses.""" +@@ -209,14 +226,10 @@ class SessionRedirectMixin(object): + headers = prepared_request.headers + url = prepared_request.url + +- if 'Authorization' in headers: ++ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url): + # If we get redirected to a new host, we should strip out any + # authentication headers. +- original_parsed = urlparse(response.request.url) +- redirect_parsed = urlparse(url) +- +- if (original_parsed.hostname != redirect_parsed.hostname): +- del headers['Authorization'] ++ del headers['Authorization'] + + # .netrc might have more auth for us on our new host. + new_auth = get_netrc_auth(url) if self.trust_env else None +diff --git a/test_requests.py b/test_requests.py +index 15406a2..e19b436 100755 +--- a/test_requests.py ++++ b/test_requests.py +@@ -991,6 +991,27 @@ class RequestsTestCase(unittest.TestCase): + + assert h1 == h2 + ++ def test_should_strip_auth_host_change(self): ++ s = requests.Session() ++ assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/') ++ ++ def test_should_strip_auth_http_downgrade(self): ++ s = requests.Session() ++ assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar') ++ ++ def test_should_strip_auth_https_upgrade(self): ++ s = requests.Session() ++ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar') ++ assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar') ++ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar') ++ # Non-standard ports should trigger stripping ++ assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar') ++ assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar') ++ ++ def test_should_strip_auth_port_change(self): ++ s = requests.Session() ++ assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar') ++ + def test_manual_redirect_with_partial_body_read(self): + s = requests.Session() + r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True) diff --git a/SOURCES/fix-default-port-handling.patch b/SOURCES/fix-default-port-handling.patch new file mode 100644 index 0000000..fa9d259 --- /dev/null +++ b/SOURCES/fix-default-port-handling.patch @@ -0,0 +1,67 @@ +diff --git a/requests/sessions.py b/requests/sessions.py +index a0a23ee..9a51f33 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -18,7 +18,7 @@ from .cookies import ( + cookiejar_from_dict, extract_cookies_to_jar, RequestsCookieJar, merge_cookies) + from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT + from .hooks import default_hooks, dispatch_hook +-from .utils import to_key_val_list, default_headers, to_native_string ++from .utils import to_key_val_list, default_headers, to_native_string, DEFAULT_PORTS + from .exceptions import ( + TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError) + from .packages.urllib3._collections import RecentlyUsedContainer +@@ -103,8 +103,17 @@ class SessionRedirectMixin(object): + if (old_parsed.scheme == 'http' and old_parsed.port in (80, None) + and new_parsed.scheme == 'https' and new_parsed.port in (443, None)): + return False ++ ++ # Handle default port usage corresponding to scheme. ++ changed_port = old_parsed.port != new_parsed.port ++ changed_scheme = old_parsed.scheme != new_parsed.scheme ++ default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None) ++ if (not changed_scheme and old_parsed.port in default_port ++ and new_parsed.port in default_port): ++ return False ++ + # Standard case: root URI must match +- return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme ++ return changed_port or changed_scheme + + def resolve_redirects(self, resp, req, stream=False, timeout=None, + verify=True, cert=None, proxies=None): +diff --git a/requests/utils.py b/requests/utils.py +index 8fba62d..14c94bd 100644 +--- a/requests/utils.py ++++ b/requests/utils.py +@@ -37,6 +37,8 @@ NETRC_FILES = ('.netrc', '_netrc') + + DEFAULT_CA_BUNDLE_PATH = certs.where() + ++DEFAULT_PORTS = {'http': 80, 'https': 443} ++ + + def dict_to_sequence(d): + """Returns an internal sequence dictionary update.""" +diff --git a/test_requests.py b/test_requests.py +index e19b436..b76d2a4 100755 +--- a/test_requests.py ++++ b/test_requests.py +@@ -1012,6 +1012,17 @@ class RequestsTestCase(unittest.TestCase): + s = requests.Session() + assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar') + ++ @pytest.mark.parametrize( ++ 'old_uri, new_uri', ( ++ ('https://example.com:443/foo', 'https://example.com/bar'), ++ ('http://example.com:80/foo', 'http://example.com/bar'), ++ ('https://example.com/foo', 'https://example.com:443/bar'), ++ ('http://example.com/foo', 'http://example.com:80/bar') ++ )) ++ def test_should_strip_auth_default_port(self, old_uri, new_uri): ++ s = requests.Session() ++ assert not s.should_strip_auth(old_uri, new_uri) ++ + def test_manual_redirect_with_partial_body_read(self): + s = requests.Session() + r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True) diff --git a/SOURCES/python-requests-remove-nested-bundling-dep.patch b/SOURCES/python-requests-remove-nested-bundling-dep.patch new file mode 100644 index 0000000..d915a4e --- /dev/null +++ b/SOURCES/python-requests-remove-nested-bundling-dep.patch @@ -0,0 +1,29 @@ +From 8c2259d4ab03ef982738aaf863068a1015cadf3d Mon Sep 17 00:00:00 2001 +From: Ralph Bean +Date: Wed, 5 Nov 2014 10:23:44 -0500 +Subject: [PATCH] Remove nested bundling dep. + +--- + requests/compat.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/requests/compat.py b/requests/compat.py +index be5a1ed..70ea4e8 100644 +--- a/requests/compat.py ++++ b/requests/compat.py +@@ -91,7 +91,11 @@ if is_py2: + import cookielib + from Cookie import Morsel + from StringIO import StringIO +- from .packages.urllib3.packages.ordered_dict import OrderedDict ++ ++ try: ++ from collections import OrderedDict # py2.7 ++ except: ++ from ordereddict import OrderedDict # py2.6 and lower (el6, etc.) + + builtin_str = str + bytes = str +-- +1.9.3 + diff --git a/SOURCES/python-requests-system-cert-bundle.patch b/SOURCES/python-requests-system-cert-bundle.patch new file mode 100644 index 0000000..e76b741 --- /dev/null +++ b/SOURCES/python-requests-system-cert-bundle.patch @@ -0,0 +1,38 @@ +From a49b39fbfe01791880c6e7179f6efdad03e8ce58 Mon Sep 17 00:00:00 2001 +From: Ralph Bean +Date: Wed, 5 Nov 2014 10:15:17 -0500 +Subject: [PATCH] system cert bundle + +--- + requests/certs.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/requests/certs.py b/requests/certs.py +index 07e6475..2c7ca96 100644 +--- a/requests/certs.py ++++ b/requests/certs.py +@@ -10,16 +10,17 @@ This module returns the preferred default CA certificate bundle. + If you are packaging Requests, e.g., for a Linux distribution or a managed + environment, you can change the definition of where() to return a separately + packaged CA bundle. ++ ++We return "/etc/pki/tls/certs/ca-bundle.crt" provided by the ca-certificates ++package. + """ +-import os.path + + try: + from certifi import where + except ImportError: + def where(): +- """Return the preferred certificate bundle.""" +- # vendored bundle inside Requests +- return os.path.join(os.path.dirname(__file__), 'cacert.pem') ++ """ Don't use the certs bundled with requests, use ca-certificates. """ ++ return "/etc/pki/tls/certs/ca-bundle.crt" + + if __name__ == '__main__': + print(where()) +-- +1.9.3 + diff --git a/SPECS/python-requests.spec b/SPECS/python-requests.spec new file mode 100644 index 0000000..af6cd1e --- /dev/null +++ b/SPECS/python-requests.spec @@ -0,0 +1,245 @@ +%if 0%{?fedora} +%global _with_python3 1 +%else +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib())")} +%endif + +Name: python-requests +Version: 2.6.0 +Release: 6%{?dist} +Summary: HTTP library, written in Python, for human beings + +License: ASL 2.0 +URL: http://pypi.python.org/pypi/requests +Source0: http://pypi.python.org/packages/source/r/requests/requests-%{version}.tar.gz +# Explicitly use the system certificates in ca-certificates. +# https://bugzilla.redhat.com/show_bug.cgi?id=904614 +Patch0: python-requests-system-cert-bundle.patch + +# Remove an unnecessary reference to a bundled compat lib in urllib3 +Patch1: python-requests-remove-nested-bundling-dep.patch + +# Fix for CVE-2018-18074 +# Resolved upstream: https://github.com/requests/requests/pull/4718 +Patch2: fix-CVE-2018-18074.patch + +# Fix handling of default ports in auth stripping +# Resolved upstream: https://github.com/psf/requests/pull/4851 +Patch3: fix-default-port-handling.patch + +BuildArch: noarch +BuildRequires: python2-devel +BuildRequires: python-chardet >= 2.2.1-1 +BuildRequires: python-urllib3 >= 1.10.2-1 + +Requires: ca-certificates +Requires: python-chardet >= 2.2.1-1 +Requires: python-urllib3 >= 1.10.2-1 + +%if 0%{?rhel} && 0%{?rhel} <= 6 +BuildRequires: python-ordereddict >= 1.1 +Requires: python-ordereddict >= 1.1 +%endif + +Provides: python2-requests = %{version}-%{release} +Obsoletes: python2-requests < %{version}-%{release} + +%description +Most existing Python modules for sending HTTP requests are extremely verbose and +cumbersome. Python’s built-in urllib2 module provides most of the HTTP +capabilities you should need, but the API is thoroughly broken. This library is +designed to make HTTP requests easy for developers. + +%if 0%{?_with_python3} +%package -n python3-requests +Summary: HTTP library, written in Python, for human beings +BuildRequires: python3-devel +BuildRequires: python3-chardet +BuildRequires: python3-urllib3 +Requires: python3-chardet +Requires: python3-urllib3 + +%description -n python3-requests +Most existing Python modules for sending HTTP requests are extremely verbose and +cumbersome. Python’s built-in urllib2 module provides most of the HTTP +capabilities you should need, but the API is thoroughly broken. This library is +designed to make HTTP requests easy for developers. +%endif + +%prep +%setup -q -n requests-%{version} + +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +# Unbundle the certificate bundle from mozilla. +rm -rf requests/cacert.pem + +%if 0%{?_with_python3} +rm -rf %{py3dir} +cp -a . %{py3dir} +%endif # with_python3 + +%build +%if 0%{?_with_python3} +pushd %{py3dir} +%{__python3} setup.py build + +# Unbundle chardet and urllib3. +rm -rf build/lib/requests/packages/chardet +rm -rf build/lib/requests/packages/urllib3 + +popd +%endif + +%py2_build + +# Unbundle chardet and urllib3. +rm -rf build/lib/requests/packages/chardet +rm -rf build/lib/requests/packages/urllib3 + +%install +rm -rf $RPM_BUILD_ROOT +%if 0%{?_with_python3} +pushd %{py3dir} +%{__python3} setup.py install --skip-build --root $RPM_BUILD_ROOT +popd +%endif + +%py2_install + +## The tests succeed if run locally, but fail in koji. +## They require an active network connection to query httpbin.org +#%%check +#%%{__python} test_requests.py +#%%if 0%%{?_with_python3} +#pushd %%{py3dir} +#%%{__python3} test_requests.py +#popd +#%%endif + +%files +%defattr(-,root,root,-) +%doc NOTICE LICENSE README.rst HISTORY.rst +%{python2_sitelib}/*.egg-info +%dir %{python2_sitelib}/requests +%{python2_sitelib}/requests/* + +%if 0%{?_with_python3} +%files -n python3-requests +%{python3_sitelib}/*.egg-info +%{python3_sitelib}/requests/ +%endif + +%changelog +* Tue Aug 27 2019 Charalampos Stratakis - 2.6.0-6 +- Fix handling of default ports in auth stripping +Resolves: rhbz#1745417 + +* Mon Nov 26 2018 Charalampos Stratakis - 2.6.0-5 +- Fix CVE-2018-18074 +Resolves: rhbz#1647368 + +* Wed Jun 03 2015 Matej Stuchlik - 2.6.0-1 +- Update to 2.6.0 +Resolves: rhbz#1214365 + +* Mon Jan 12 2015 Endi S. Dewata - 1.1.0-9 +- Merged headers with different cases. + +* Mon Jan 27 2014 Endi S. Dewata - 1.1.0-8 +- Removed authentication header on redirect. + +* Fri Dec 27 2013 Daniel Mach - 1.1.0-7 +- Mass rebuild 2013-12-27 + +* Fri Oct 4 2013 Endi S. Dewata - 1.1.0-6 +- Removed bundled packages. + +* Tue Jun 18 2013 Endi S. Dewata - 1.1.0-5 +- Fixed bogus date in changelog entry. + +* Tue Jun 11 2013 Ralph Bean - 1.1.0-4 +- Correct a rhel conditional on python-ordereddict + +* Thu Feb 28 2013 Ralph Bean - 1.1.0-3 +- Unbundled python-urllib3. Using system python-urllib3 now. +- Conditionally include python-ordereddict for el6. + +* Wed Feb 27 2013 Ralph Bean - 1.1.0-2 +- Unbundled python-charade/chardet. Using system python-chardet now. +- Removed deprecated comments and actions against oauthlib unbundling. + Those are no longer necessary in 1.1.0. +- Added links to bz tickets over Patch declarations. + +* Tue Feb 26 2013 Ralph Bean - 1.1.0-1 +- Latest upstream. +- Relicense to ASL 2.0 with upstream. +- Removed cookie handling patch (fixed in upstream tarball). +- Updated cert unbundling patch to match upstream. +- Added check section, but left it commented out for koji. + +* Fri Feb 8 2013 Toshio Kuratomi - 0.14.1-4 +- Let brp_python_bytecompile run again, take care of the non-python{2,3} modules + by removing them from the python{,3}-requests package that they did not belong + in. +- Use the certificates in the ca-certificates package instead of the bundled one + + https://bugzilla.redhat.com/show_bug.cgi?id=904614 +- Fix a problem with cookie handling + + https://bugzilla.redhat.com/show_bug.cgi?id=906924 + +* Mon Oct 22 2012 Arun S A G 0.14.1-1 +- Updated to latest upstream release + +* Sun Jun 10 2012 Arun S A G 0.13.1-1 +- Updated to latest upstream release 0.13.1 +- Use system provided ca-certificates +- No more async requests use grrequests https://github.com/kennethreitz/grequests +- Remove gevent as it is no longer required by requests + +* Sun Apr 01 2012 Arun S A G 0.11.1-1 +- Updated to upstream release 0.11.1 + +* Thu Mar 29 2012 Arun S A G 0.10.6-3 +- Support building package for EL6 + +* Tue Mar 27 2012 Rex Dieter 0.10.6-2 +- +python3-requests pkg + +* Sat Mar 3 2012 Arun SAG - 0.10.6-1 +- Updated to new upstream version + +* Sat Jan 21 2012 Arun SAG - 0.9.3-1 +- Updated to new upstream version 0.9.3 +- Include python-gevent as a dependency for requests.async +- Clean up shebangs in requests/setup.py,test_requests.py and test_requests_ext.py + +* Sat Jan 14 2012 Fedora Release Engineering - 0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Sun Nov 27 2011 Arun SAG - 0.8.2-1 +- New upstream version +- keep alive support +- complete removal of cookiejar and urllib2 + +* Thu Nov 10 2011 Arun SAG - 0.7.6-1 +- Updated to new upstream release 0.7.6 + +* Thu Oct 20 2011 Arun SAG - 0.6.6-1 +- Updated to version 0.6.6 + +* Fri Aug 26 2011 Arun SAG - 0.6.1-1 +- Updated to version 0.6.1 + +* Sat Aug 20 2011 Arun SAG - 0.6.0-1 +- Updated to latest version 0.6.0 + +* Mon Aug 15 2011 Arun SAG - 0.5.1-2 +- Remove OPT_FLAGS from build section since it is a noarch package +- Fix use of mixed tabs and space +- Remove extra space around the word cumbersome in description + +* Sun Aug 14 2011 Arun SAG - 0.5.1-1 +- Initial package