From e40bff2305a1acc4786ee1ed68460f2ac56eef41 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Thu, 2 Nov 2023 10:33:50 +0800 Subject: [PATCH] fix CVE-2023-45803 --- ...ed-the-Cookie-to-the-list-of-headers.patch | 4 + ...ade-body-stripped-from-HTTP-requests.patch | 125 ++++++++++++++++++ python-urllib3.spec | 16 ++- 3 files changed, 142 insertions(+), 3 deletions(-) rename CVE-2023-43804.patch => backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch (98%) create mode 100644 backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch diff --git a/CVE-2023-43804.patch b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch similarity index 98% rename from CVE-2023-43804.patch rename to backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch index 06567f1..e7beeed 100644 --- a/CVE-2023-43804.patch +++ b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch @@ -5,6 +5,10 @@ Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139) Co-authored-by: Quentin Pradet Co-authored-by: Illia Volochii + +Conflict:NA +Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb + --- src/urllib3/util/retry.py | 2 +- test/test_retry.py | 4 ++-- diff --git a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch new file mode 100644 index 0000000..cbb1ff1 --- /dev/null +++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch @@ -0,0 +1,125 @@ +From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Tue, 17 Oct 2023 19:35:39 +0300 +Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4 + +Conflict:test/with_dummyserver/test_poolmanager.py and +test_connectionpool.py has not been modified because it has been deleted +in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 + +--- + dummyserver/handlers.py | 7 +++++++ + src/urllib3/_collections.py | 18 ++++++++++++++++++ + src/urllib3/connectionpool.py | 5 +++++ + src/urllib3/poolmanager.py | 7 +++++-- + 4 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py +index c90c2fc..acd181d 100644 +--- a/dummyserver/handlers.py ++++ b/dummyserver/handlers.py +@@ -186,6 +186,8 @@ class TestingApp(RequestHandler): + status = request.params.get("status", "303 See Other") + if len(status) == 3: + status = "%s Redirect" % status.decode("latin-1") ++ elif isinstance(status, bytes): ++ status = status.decode("latin-1") + + headers = [("Location", target)] + return Response(status=status, headers=headers) +@@ -264,6 +266,11 @@ class TestingApp(RequestHandler): + def headers(self, request): + return Response(json.dumps(dict(request.headers))) + ++ def headers_and_params(self, request): ++ return Response( ++ json.dumps({"headers": dict(request.headers), "params": request.params}) ++ ) ++ + def successful_retry(self, request): + """Handler which will return an error and then success + +diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py +index da9857e..bceb845 100644 +--- a/src/urllib3/_collections.py ++++ b/src/urllib3/_collections.py +@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping): + else: + return vals[1:] + ++ def _prepare_for_method_change(self): ++ """ ++ Remove content-specific header fields before changing the request ++ method to GET or HEAD according to RFC 9110, Section 15.4. ++ """ ++ content_specific_headers = [ ++ "Content-Encoding", ++ "Content-Language", ++ "Content-Location", ++ "Content-Type", ++ "Content-Length", ++ "Digest", ++ "Last-Modified", ++ ] ++ for header in content_specific_headers: ++ self.discard(header) ++ return self ++ + # Backwards compatibility for httplib + getheaders = getlist + getallmatchingheaders = getlist +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index e528019..2cc6a63 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -8,6 +8,7 @@ import warnings + from socket import error as SocketError + from socket import timeout as SocketTimeout + ++from ._collections import HTTPHeaderDict + from .connection import ( + BaseSSLError, + BrokenPipeError, +@@ -800,7 +801,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + redirect_location = redirect and response.get_redirect_location() + if redirect_location: + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ body = None ++ headers = HTTPHeaderDict(headers)._prepare_for_method_change() + + try: + retries = retries.increment(method, url, response=response, _pool=self) +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index ca4ec34..5f4afe1 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -4,7 +4,7 @@ import collections + import functools + import logging + +-from ._collections import RecentlyUsedContainer ++from ._collections import HTTPHeaderDict, RecentlyUsedContainer + from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme + from .exceptions import ( + LocationValueError, +@@ -382,9 +382,12 @@ class PoolManager(RequestMethods): + # Support relative URLs for redirecting. + redirect_location = urljoin(url, redirect_location) + +- # RFC 7231, Section 6.4.4 + if response.status == 303: ++ # Change the method according to RFC 9110, Section 15.4.4. + method = "GET" ++ # And lose the body not to transfer anything sensitive. ++ kw["body"] = None ++ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + + retries = kw.get("retries") + if not isinstance(retries, Retry): +-- +2.23.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 6e7e77e..f5e727d 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.7 -Release: 7 +Release: 8 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -19,7 +19,8 @@ Patch6004: backport-fixed-issue-with-port-0-returning-None.patch Patch6005: backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch Patch6006: backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch Patch6007: backport-Fix-_idna_encode-handling-of-x80.patch -Patch6008: CVE-2023-43804.patch +Patch6008: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch +Patch6009: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch BuildArch: noarch @@ -85,8 +86,17 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Thu Nov 02 2023 chengyechun - 1.26.7-8 +- Type:CVE +- CVE:CVE-2023-45803 +- SUG:NA +- DESC:fix CVE-2023-45803 Made body stripped from HTTP requests + * Wed Oct 04 2023 Funda Wang - 1.26.7-7 -- fix CVE-2023-43804 +- Type:CVE +- CVE:CVE-2023-43804 +- SUG:NA +- DESC:fix CVE-2023-43804 added the Cookie to the list of headers * Tue Mar 21 2023 chenhaixing - 1.26.7-6 - Type:bugfix -- Gitee