From 652bd50a7a64738920f59427cd0b99d919229979 Mon Sep 17 00:00:00 2001
From: chengyechun <chengyechun1@huawei.com>
Date: Sat, 7 Oct 2023 14:13:43 +0800
Subject: [PATCH] fix CVE-2023-43804

---
 ...dd-the-Cookie-to-the-list-of-headers.patch | 62 +++++++++++++++++++
 python-urllib3.spec                           |  9 ++-
 2 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch

diff --git a/backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch b/backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch
new file mode 100644
index 0000000..1acb424
--- /dev/null
+++ b/backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch
@@ -0,0 +1,62 @@
+From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 3 Oct 2023 12:43:45 AM GMT+0800
+Subject: [PATCH] backport CVE-2023-43804 add the Cookie to the list of headers
+
+Conflict:NA
+Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
+
+---
+ src/urllib3/util/retry.py     | 2 +-
+ test/test_retry.py            | 4 ++--
+ test/test_retry_deprecated.py | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index c7dc42f..c7c0427 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -217,7 +217,7 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index 488c2fa..aff5e64 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -296,12 +296,12 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert list(retry.remove_headers_on_redirect) == ["authorization"]
++        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+ 
+-        assert list(retry.remove_headers_on_redirect) == ["x-api-secret"]
++        assert retry.remove_headers_on_redirect == {"x-api-secret"}
+ 
+     @pytest.mark.parametrize("value", ["-1", "+1", "1.0", six.u("\xb2")])  # \xb2 = ^2
+     def test_parse_retry_after_invalid(self, value):
+diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
+index 0885a3f..28f76fb 100644
+--- a/test/test_retry_deprecated.py
++++ b/test/test_retry_deprecated.py
+@@ -298,7 +298,7 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert list(retry.remove_headers_on_redirect) == ["authorization"]
++        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+-- 
+2.23.0
+
diff --git a/python-urllib3.spec b/python-urllib3.spec
index 79b543e..e32d322 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -3,7 +3,7 @@
 
 Name:           python-%{srcname}
 Version:        1.26.7
-Release:        6
+Release:        7
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@@ -19,6 +19,7 @@ Patch6004:      backport-fixed-issue-with-port-0-returning-None.patch
 Patch6005:      backport-Fix-socket-timeout-value-when-HTTPConnection-is-reused.patch
 Patch6006:      backport-Remove-Exclamation-mark-character-from-the-unreserved-characters.patch
 Patch6007:      backport-Fix-_idna_encode-handling-of-x80.patch
+Patch6008:      backport-CVE-2023-43804-add-the-Cookie-to-the-list-of-headers.patch
 
 BuildArch:      noarch
 
@@ -84,6 +85,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 
 %changelog
+* Sat Oct 07 2023 chengyechun <chengyechun1@huawei.com> - 1.26.7-7
+- Type:CVE
+- CVE:CVE-2023-43804
+- SUG:NA
+- DESC:add the cookie to the list of headers
+
 * Tue Mar 21 2023 chenhaixing <chenhaixing@huawei.com> - 1.26.7-6
 - Type:bugfix
 - CVE:NA
-- 
Gitee