File CVE-2024-35195.patch of Package python-requests.35928

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-35195.patch of Package python-requests.35928

From c0813a2d910ea6b4f8438b91d315b8d181302356 Mon Sep 17 00:00:00 2001
From: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
Date: Sun, 3 Mar 2024 07:00:49 -0600
Subject: [PATCH] Use TLS settings in selecting connection pool

Previously, if someone made a request with `verify=False` then made a
request where they expected verification to be enabled to the same host,
they would potentially reuse a connection where TLS had not been
verified.

This fixes that issue.
---
 src/requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++-
 tests/test_requests.py   |  7 +++++
 tox.ini                  |  2 +-
 3 files changed, 65 insertions(+), 2 deletions(-)

Index: requests-2.11.1/requests/adapters.py
===================================================================
--- requests-2.11.1.orig/requests/adapters.py
+++ requests-2.11.1/requests/adapters.py
@@ -48,6 +48,30 @@ DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
 
 
+def _urllib3_request_context(request, verify):
+    host_params = {}
+    pool_kwargs = {}
+    parsed_request_url = urlparse(request.url)
+    scheme = parsed_request_url.scheme.lower()
+    port = parsed_request_url.port
+    cert_reqs = "CERT_REQUIRED"
+    if verify is False:
+        cert_reqs = "CERT_NONE"
+    if isinstance(verify, str):
+        if not os.path.isdir(verify):
+            pool_kwargs["ca_certs"] = verify
+        else:
+            pool_kwargs["ca_cert_dir"] = verify
+    pool_kwargs["cert_reqs"] = cert_reqs
+    host_params = {
+        "scheme": scheme,
+        "host": parsed_request_url.hostname,
+        "port": port,
+        "pool_kwargs": pool_kwargs
+    }
+    return host_params
+
+
 class BaseAdapter(object):
     """The Base Transport Adapter"""
 
@@ -272,6 +296,31 @@ class HTTPAdapter(BaseAdapter):
 
         return response
 
+    def _get_connection(self, request, verify, proxies=None):
+        # Replace the existing get_connection without breaking things and
+        # ensure that TLS settings are considered when we interact with
+        # urllib3 HTTP Pools
+        proxy = select_proxy(request.url, proxies)
+        try:
+            host_params = _urllib3_request_context(request, verify)
+        except ValueError as e:
+            raise InvalidURL(e, request=request)
+        if proxy:
+            proxy = prepend_scheme_if_needed(proxy, "http")
+            proxy_url = parse_url(proxy)
+            if not proxy_url.host:
+                raise InvalidProxyURL(
+                    "Please check proxy URL. It is malformed "
+                    "and could be missing the host."
+                )
+            proxy_manager = self.proxy_manager_for(proxy)
+            conn = proxy_manager.connection_from_host(**host_params)
+        else:
+            # Only scheme should be lower case
+            conn = self.poolmanager.connection_from_host(**host_params)
+
+        return conn
+
     def get_connection(self, url, proxies=None):
         """Returns a urllib3 connection for the given URL. This should not be
         called from user code, and is only exposed for use when subclassing the
@@ -385,7 +434,7 @@ class HTTPAdapter(BaseAdapter):
         :rtype: requests.Response
         """
 
-        conn = self.get_connection(request.url, proxies)
+        conn = self._get_connection(request, verify, proxies)
 
         self.cert_verify(conn, request.url, verify, cert)
         url = self.request_url(request, proxies)

Places

File CVE-2024-35195.patch of Package python-requests.35928

Places