diff --git a/backport-CVE-2025-50181-fix-suspend-redirec-ineffect.patch b/backport-CVE-2025-50181-fix-suspend-redirec-ineffect.patch new file mode 100644 index 0000000000000000000000000000000000000000..8e09e9ae2642af17bd07f4cfc3b344227d295963 --- /dev/null +++ b/backport-CVE-2025-50181-fix-suspend-redirec-ineffect.patch @@ -0,0 +1,107 @@ +From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 18 Jun 2025 16:25:01 +0300 +Subject: [PATCH] Merge commit from fork + +* Apply Quentin's suggestion + +Co-authored-by: Quentin Pradet + +* Add tests for disabled redirects in the pool manager + +* Add a possible fix for the issue with not raised `MaxRetryError` + +* Make urllib3 handle redirects instead of JS when JSPI is used + +* Fix info in the new comment + +* State that redirects with XHR are not controlled by urllib3 + +* Remove excessive params from new test requests + +* Add tests reaching max non-0 redirects + +* Test redirects with Emscripten + +* Fix `test_merge_pool_kwargs` + +* Add a changelog entry + +* Parametrize tests + +* Drop a fix for Emscripten + +* Apply Seth's suggestion to docs + +Co-authored-by: Seth Michael Larson + +* Use a minor release instead of the patch one + +Reference:https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 +Conflict:test/with_dummyserver/test_poolmanger, +test/contrib/emscripten/test_emscrepten.py has not been modified because +is has been deleted in the pre-phase of the spec file;CHANGES.rst, +docs/reference/contrib/emscripten.rst,dummyserver/app.py has not been +modified because these are the latest features and informations, does +not involve related modifications +--- + src/urllib3/poolmanager.py | 18 +++++++++++++++++- + test/test_poolmanager.py | 5 +++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index 5f4afe1..4a97501 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -170,6 +170,22 @@ class PoolManager(RequestMethods): + + def __init__(self, num_pools=10, headers=None, **connection_pool_kw): + RequestMethods.__init__(self, headers) ++ if "retries" in connection_pool_kw: ++ retries = connection_pool_kw["retries"] ++ if not isinstance(retries, Retry): ++ # When Retry is initialized, raise_on_redirect is based ++ # on a redirect boolean value. ++ # But requests made via a pool manager always set ++ # redirect to False, and raise_on_redirect always ends ++ # up being False consequently. ++ # Here we fix the issue by setting raise_on_redirect to ++ # a value needed by the pool manager without considering ++ # the redirect boolean. ++ raise_on_redirect = retries is not False ++ retries = Retry.from_int(retries, redirect=False) ++ retries.raise_on_redirect = raise_on_redirect ++ connection_pool_kw = connection_pool_kw.copy() ++ connection_pool_kw["retries"] = retries + self.connection_pool_kw = connection_pool_kw + self.pools = RecentlyUsedContainer(num_pools, dispose_func=lambda p: p.close()) + +@@ -389,7 +405,7 @@ class PoolManager(RequestMethods): + kw["body"] = None + kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + +- retries = kw.get("retries") ++ retries = kw.get("retries", response.retries) + if not isinstance(retries, Retry): + retries = Retry.from_int(retries, redirect=redirect) + +diff --git a/test/test_poolmanager.py b/test/test_poolmanager.py +index d367b69..2c7ccac 100644 +--- a/test/test_poolmanager.py ++++ b/test/test_poolmanager.py +@@ -344,9 +344,10 @@ class TestPoolManager(object): + + def test_merge_pool_kwargs(self): + """Assert _merge_pool_kwargs works in the happy case""" +- p = PoolManager(strict=True) ++ retries = retry.Retry(total=100) ++ p = PoolManager(retries=retries, strict=True) + merged = p._merge_pool_kwargs({"new_key": "value"}) +- assert {"strict": True, "new_key": "value"} == merged ++ assert {"retries": retries, "strict": True, "new_key": "value"} == merged + + def test_merge_pool_kwargs_none(self): + """Assert false-y values to _merge_pool_kwargs result in defaults""" +-- +2.43.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 2e515b0935fdfeaae97bd6be2161b3065bc0e16b..2f827df20902dc8a2b1c79982a45a86f02739098 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -1,13 +1,14 @@ %global srcname urllib3 %bcond_without tests +%global oe_release %(sed -n 's/^openEuler release \([0-9.]\+\) (\(.*\))/openEuler-\1-\2/p' openEuler-release) Name: python-%{srcname} Version: 1.26.12 -Release: 7 +Release: 8 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io -Source0: https://github.com/urllib3/urllib3/archive/refs/tags/%{version}.tar.gz +Source0: https://gitee.com/src-openeuler/python-urllib3/raw/{oe_release}/%{version}.tar.gz Source1: ssl_match_hostname_py3.py Patch0001: remove_mock.patch @@ -20,6 +21,7 @@ Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch Patch6006: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch Patch6007: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch Patch6008: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch +Patch6009: backport-CVE-2025-50181-fix-suspend-redirec-ineffect.patch BuildArch: noarch @@ -85,6 +87,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Jul 2025 tangce - 1.26.12-8 +- Type:CVE +- CVE:CVE-2025-50181 +- SUG:NA +- DESC:fix CVE-2025-50181 Fix suspend redirect ineffective + * Tue Jun 25 2024 chengyechun - 1.26.12-7 - Type:CVE - CVE:CVE-2024-37891