From f57d24dce8ec2b1d5f219a62660d7364c99f04e2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 20 2020 19:44:51 +0000
Subject: import rh-python38-python-urllib3-1.25.7-6.el7


---

diff --git a/SOURCES/CVE-2020-26137.patch b/SOURCES/CVE-2020-26137.patch
new file mode 100644
index 0000000..a301b7a
--- /dev/null
+++ b/SOURCES/CVE-2020-26137.patch
@@ -0,0 +1,37 @@
+diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
+index f5c946a..49f04b1 100644
+--- a/src/urllib3/connection.py
++++ b/src/urllib3/connection.py
+@@ -1,4 +1,5 @@
+ from __future__ import absolute_import
++import re
+ import datetime
+ import logging
+ import os
+@@ -58,6 +59,8 @@ port_by_scheme = {"http": 80, "https": 443}
+ # (ie test_recent_date is failing) update it to ~6 months before the current date.
+ RECENT_DATE = datetime.date(2019, 1, 1)
+ 
++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
++
+ 
+ class DummyConnection(object):
+     """Used to detect a failed ConnectionCls import."""
+@@ -184,6 +187,17 @@ class HTTPConnection(_HTTPConnection, object):
+         conn = self._new_conn()
+         self._prepare_conn(conn)
+ 
++    def putrequest(self, method, url, *args, **kwargs):
++        """Send a request to the server"""
++        match = _CONTAINS_CONTROL_CHAR_RE.search(method)
++        if match:
++            raise ValueError(
++                "Method cannot contain non-token characters %r (found at least %r)"
++                % (method, match.group())
++            )
++
++        return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
++
+     def request_chunked(self, method, url, body=None, headers=None):
+         """
+         Alternative to the common request method, which sends the
diff --git a/SPECS/python-urllib3.spec b/SPECS/python-urllib3.spec
index d704e7b..66948e7 100644
--- a/SPECS/python-urllib3.spec
+++ b/SPECS/python-urllib3.spec
@@ -8,7 +8,7 @@
 
 Name:           %{?scl_prefix}python-%{srcname}
 Version:        1.25.7
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Python HTTP library with thread-safe connection pooling and file post
 
 License:        MIT
@@ -18,6 +18,8 @@ Source0:        %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
 Source1:        ssl_match_hostname_py3.py
 BuildArch:      noarch
 
+Patch0:         CVE-2020-26137.patch
+
 BuildRequires:  %{?scl_prefix}python%{python3_pkgversion}-devel
 BuildRequires:  %{?scl_prefix}python%{python3_pkgversion}-setuptools
 BuildRequires:  %{?scl_prefix}python%{python3_pkgversion}-rpm-macros
@@ -109,6 +111,10 @@ popd
 
 
 %changelog
+* Tue Oct 06 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.25.7-6
+- Security fix for CVE-2020-26137: CRLF injection via HTTP request method
+Resolves: rhbz#1885284
+
 * Tue Feb 04 2020 Lumír Balhar <lbalhar@redhat.com> - 1.25.7-5
 - Import from the python38 module and modified for rh-python38 RHSCL
 Resolves: rhbz#1671025