python-requests: add patch for CVE-2024-35195

microsoft · Dec 31, 2024 · 13a146b · 13a146b
1 parent 81fb40a
commit 13a146b
Show file tree

Hide file tree

Showing 2 changed files with 130 additions and 1 deletion.
diff --git a/SPECS/python-requests/CVE-2024-35195.patch b/SPECS/python-requests/CVE-2024-35195.patch
@@ -0,0 +1,125 @@
+# From https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
+diff --color -urN a/requests/adapters.py b/requests/adapters.py
+--- a/requests/adapters.py	2023-05-22 15:10:32.000000000 +0000
++++ b/requests/adapters.py	2024-12-31 09:52:50.514094943 +0000
+@@ -8,6 +8,7 @@
+
+ import os.path
+ import socket  # noqa: F401
++import typing
+
+ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
+ from urllib3.exceptions import HTTPError as _HTTPError
+@@ -61,12 +62,38 @@
+         raise InvalidSchema("Missing dependencies for SOCKS support.")
+
+
++if typing.TYPE_CHECKING:
++    from .models import PreparedRequest
++
++
+ DEFAULT_POOLBLOCK = False
+ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+
+
++def _urllib3_request_context(
++    request: "PreparedRequest", verify: "bool | str | None"
++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
++    host_params = {}
++    pool_kwargs = {}
++    parsed_request_url = urlparse(request.url)
++    scheme = parsed_request_url.scheme.lower()
++    port = parsed_request_url.port
++    cert_reqs = "CERT_REQUIRED"
++    if verify is False:
++        cert_reqs = "CERT_NONE"
++    if isinstance(verify, str):
++        pool_kwargs["ca_certs"] = verify
++    pool_kwargs["cert_reqs"] = cert_reqs
++    host_params = {
++        "scheme": scheme,
++        "host": parsed_request_url.hostname,
++        "port": port,
++    }
++    return host_params, pool_kwargs
++
++
+ class BaseAdapter:
+     """The Base Transport Adapter"""
+
+@@ -328,6 +355,35 @@
+
+         return response
+
++    def _get_connection(self, request, verify, proxies=None):
++        # Replace the existing get_connection without breaking things and
++        # ensure that TLS settings are considered when we interact with
++        # urllib3 HTTP Pools
++        proxy = select_proxy(request.url, proxies)
++        try:
++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++        except ValueError as e:
++            raise InvalidURL(e, request=request)
++        if proxy:
++            proxy = prepend_scheme_if_needed(proxy, "http")
++            proxy_url = parse_url(proxy)
++            if not proxy_url.host:
++                raise InvalidProxyURL(
++                    "Please check proxy URL. It is malformed "
++                    "and could be missing the host."
++                )
++            proxy_manager = self.proxy_manager_for(proxy)
++            conn = proxy_manager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        else:
++            # Only scheme should be lower case
++            conn = self.poolmanager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++
++        return conn
++
+     def get_connection(self, url, proxies=None):
+         """Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+@@ -451,7 +507,7 @@
+         """
+
+         try:
+-            conn = self.get_connection(request.url, proxies)
++            conn = self._get_connection(request, verify, proxies)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+
+diff --color -urN a/tests/test_requests.py b/tests/test_requests.py
+--- a/tests/test_requests.py	2023-05-22 15:10:32.000000000 +0000
++++ b/tests/test_requests.py	2024-12-31 09:52:50.514094943 +0000
+@@ -2655,6 +2655,13 @@
+     except ConnectionError as e:
+         assert "Pool is closed." in str(e)
+
++    def test_different_connection_pool_for_tls_settings(self):
++        s = requests.Session()
++        r1 = s.get("https://invalid.badssl.com", verify=False)
++        assert r1.status_code == 421
++        with pytest.raises(requests.exceptions.SSLError):
++            s.get("https://invalid.badssl.com")
++
+
+ class TestPreparingURLs:
+     @pytest.mark.parametrize(
+diff --color -urN a/tox.ini b/tox.ini
+--- a/tox.ini	2023-05-22 15:10:32.000000000 +0000
++++ b/tox.ini	2024-12-31 09:52:50.514094943 +0000
+@@ -7,7 +7,7 @@
+     security
+     socks
+ commands =
+-    pytest tests
++    pytest {posargs:tests}
+
+ [testenv:default]
+
diff --git a/SPECS/python-requests/python-requests.spec b/SPECS/python-requests/python-requests.spec
@@ -1,13 +1,14 @@
 Summary:        Awesome Python HTTP Library That's Actually Usable
 Name:           python-requests
 Version:        2.31.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages/Python
 URL:            http://python-requests.org
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
+Patch0:         CVE-2024-35195.patch
 BuildArch:      noarch
 
 %description
@@ -71,6 +72,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
 %{python3_sitelib}/*
 
 %changelog
+* Fri Dec 27 2024 Archana Choudhary <[email protected]> - 2.31.0-2
+- Add patch for CVE-2024-35195
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <[email protected]> - 2.31.0-1
 - Auto-upgrade to 2.31.0 - Azure Linux 3.0 - package upgrades