diff --git a/backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch b/backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch new file mode 100644 index 0000000000000000000000000000000000000000..73222945d6c439a5399706eef0f3db124cd79ed3 --- /dev/null +++ b/backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch @@ -0,0 +1,135 @@ +From 8f4bd4d3fd2eefcc79f17514a80ec983490e03ec Mon Sep 17 00:00:00 2001 +From: Ian Stapleton Cordasco +Date: Sun, 3 Mar 2024 07:00:49 -0600 +Subject: [PATCH] Use TLS settings in selecting connection pool + +Previously, if someone made a request with `verify=False` then made a +request where they expected verification to be enabled to the same host, +they would potentially reuse a connection where TLS had not been +verified. + +This fixes that issue. + +Signed-off-by: qiaojijun +--- + requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++- + tests/test_requests.py | 7 +++++ + 2 files changed, 64 insertions(+), 1 deletion(-) + +diff --git a/requests/adapters.py b/requests/adapters.py +index fa4d9b3..efe0ef4 100644 +--- a/requests/adapters.py ++++ b/requests/adapters.py +@@ -10,6 +10,7 @@ and maintain connections. + + import os.path + import socket ++import typing + + from urllib3.poolmanager import PoolManager, proxy_from_url + from urllib3.response import HTTPResponse +@@ -46,12 +47,38 @@ except ImportError: + def SOCKSProxyManager(*args, **kwargs): + raise InvalidSchema("Missing dependencies for SOCKS support.") + ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 + DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter(object): + """The Base Transport Adapter""" + +@@ -289,6 +316,35 @@ class HTTPAdapter(BaseAdapter): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -409,7 +465,7 @@ class HTTPAdapter(BaseAdapter): + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +diff --git a/tests/test_requests.py b/tests/test_requests.py +index b77cba0..a7ac948 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -2567,6 +2567,13 @@ class TestPreparingURLs(object): + p = r.prepare() + assert p.url == expected + ++ def test_different_connection_pool_for_tls_settings(self): ++ s = requests.Session() ++ r1 = s.get("https://invalid.badssl.com", verify=False) ++ assert r1.status_code == 421 ++ with pytest.raises(requests.exceptions.SSLError): ++ s.get("https://invalid.badssl.com") ++ + def test_post_json_nan(self, httpbin): + data = {"foo": float("nan")} + with pytest.raises(requests.exceptions.InvalidJSONError): +-- +2.20.1 + diff --git a/python-requests.spec b/python-requests.spec index 104c8ac649bafb665818f1e2ee1623c635e92e79..0f5eed004af34c42196be103ea97bc3f61d43da0 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -2,7 +2,7 @@ Name: python-requests Version: 2.26.0 -Release: 8 +Release: 9 Summary: Python HTTP Library License: ASL 2.0 URL: http://python-requests.org/ @@ -14,6 +14,7 @@ Patch3: patch-requests-certs.py-to-use-the-system-CA-bundle.patch Patch4: Remove-tests-that-use-the-tarpit.patch Patch5: Update-dependency-with-chardet.patch Patch6000: backport-CVE-2023-32681.patch +Patch6001: backport-CVE-2024-35195-Use-TLS-settings-in-selecting-connection-pool.patch BuildArch: noarch @@ -97,6 +98,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v %doc HISTORY.md README.md %changelog +* Tue May 21 2024 qiaojijun - 2.26.0-9 +- fix CVE-2024-35195 + * Wed May 31 2023 zhangpan - 2.26.0-8 - fix CVE-2023-32681