From edd18ddb419daf023b645c7d11b840b5f49f6d29 Mon Sep 17 00:00:00 2001
From: chengyechun <chengyechun1@huawei.com>
Date: Wed, 20 Aug 2025 04:00:13 +0000
Subject: [PATCH] fix CVE-2025-50182

---
 ...etries-and-redirect-affect-in-nodejs.patch | 49 +++++++++++++++++++
 python-urllib3.spec                           | 10 +++-
 2 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-50182-make-retries-and-redirect-affect-in-nodejs.patch

diff --git a/backport-CVE-2025-50182-make-retries-and-redirect-affect-in-nodejs.patch b/backport-CVE-2025-50182-make-retries-and-redirect-affect-in-nodejs.patch
new file mode 100644
index 0000000..239837a
--- /dev/null
+++ b/backport-CVE-2025-50182-make-retries-and-redirect-affect-in-nodejs.patch
@@ -0,0 +1,49 @@
+From 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 18 Jun 2025 16:30:35 +0300
+Subject: [PATCH] Merge commit from fork
+---
+ src/urllib3/contrib/emscripten/fetch.py | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/urllib3/contrib/emscripten/fetch.py b/src/urllib3/contrib/emscripten/fetch.py
+index a514306..6695821 100644
+--- a/src/urllib3/contrib/emscripten/fetch.py
++++ b/src/urllib3/contrib/emscripten/fetch.py
+@@ -573,6 +573,11 @@ def send_jspi_request(
+         "method": request.method,
+         "signal": js_abort_controller.signal,
+     }
++    # Node.js returns the whole response (unlike opaqueredirect in browsers),
++    # so urllib3 can set `redirect: manual` to control redirects itself.
++    # https://stackoverflow.com/a/78524615
++    if _is_node_js():
++        fetch_data["redirect"] = "manual"
+     # Call JavaScript fetch (async api, returns a promise)
+     fetcher_promise_js = js.fetch(request.url, _obj_from_dict(fetch_data))
+     # Now suspend WebAssembly until we resolve that promise
+@@ -693,6 +698,21 @@ def has_jspi() -> bool:
+         return False
+ 
+ 
++def _is_node_js() -> bool:
++    """
++    Check if we are in Node.js.
++
++    :return: True if we are in Node.js.
++    :rtype: bool
++    """
++    return (
++        hasattr(js, "process")
++        and hasattr(js.process, "release")
++        # According to the Node.js documentation, the release name is always "node".
++        and js.process.release.name == "node"
++    )
++
++
+ def streaming_ready() -> bool | None:
+     if _fetcher:
+         return _fetcher.streaming_ready
+-- 
+2.33.0
+
diff --git a/python-urllib3.spec b/python-urllib3.spec
index 8b00a2e..12f1510 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -3,13 +3,15 @@
 
 Name:           python-%{srcname}
 Version:        2.3.0
-Release:        2
+Release:        3
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://github.com/urllib3/urllib3
 Source0:        %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
 Source1:        ssl_match_hostname_py3.py
 
+Patch001:       backport-CVE-2025-50182-make-retries-and-redirect-affect-in-nodejs.patch 
+
 BuildArch:      noarch
 
 %description 
@@ -90,6 +92,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.dist-info
 
 %changelog
+* Wed Aug 20 2025 tangce <tangce1@h-partners.com> - 2.3.0-3
+- Type:CVE
+- CVE:CVE-2025-50182
+- SUG:NA
+- DESC:fix CVE-2025-50182 make retries and redirect affect in node.js
+
 * Wed Aug 13 2025 Dongxing Wang <dongxing.wang_a@thundersoft.com> - 2.3.0-2
 - Add extra package for selenium install deps and drop python-six
 
-- 
Gitee