Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
python-requests
CVE-2024-35195.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-35195.patch of Package python-requests
From c0813a2d910ea6b4f8438b91d315b8d181302356 Mon Sep 17 00:00:00 2001 From: Ian Stapleton Cordasco <graffatcolmingov@gmail.com> Date: Sun, 3 Mar 2024 07:00:49 -0600 Subject: [PATCH] Use TLS settings in selecting connection pool Previously, if someone made a request with `verify=False` then made a request where they expected verification to be enabled to the same host, they would potentially reuse a connection where TLS had not been verified. This fixes that issue. --- src/requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++- tests/test_requests.py | 7 +++++ tox.ini | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) Index: requests-2.11.1/requests/adapters.py =================================================================== --- requests-2.11.1.orig/requests/adapters.py +++ requests-2.11.1/requests/adapters.py @@ -48,6 +48,30 @@ DEFAULT_RETRIES = 0 DEFAULT_POOL_TIMEOUT = None +def _urllib3_request_context(request, verify): + host_params = {} + pool_kwargs = {} + parsed_request_url = urlparse(request.url) + scheme = parsed_request_url.scheme.lower() + port = parsed_request_url.port + cert_reqs = "CERT_REQUIRED" + if verify is False: + cert_reqs = "CERT_NONE" + if isinstance(verify, str): + if not os.path.isdir(verify): + pool_kwargs["ca_certs"] = verify + else: + pool_kwargs["ca_cert_dir"] = verify + pool_kwargs["cert_reqs"] = cert_reqs + host_params = { + "scheme": scheme, + "host": parsed_request_url.hostname, + "port": port, + "pool_kwargs": pool_kwargs + } + return host_params + + class BaseAdapter(object): """The Base Transport Adapter""" @@ -272,6 +296,31 @@ class HTTPAdapter(BaseAdapter): return response + def _get_connection(self, request, verify, proxies=None): + # Replace the existing get_connection without breaking things and + # ensure that TLS settings are considered when we interact with + # urllib3 HTTP Pools + proxy = select_proxy(request.url, proxies) + try: + host_params = _urllib3_request_context(request, verify) + except ValueError as e: + raise InvalidURL(e, request=request) + if proxy: + proxy = prepend_scheme_if_needed(proxy, "http") + proxy_url = parse_url(proxy) + if not proxy_url.host: + raise InvalidProxyURL( + "Please check proxy URL. It is malformed " + "and could be missing the host." + ) + proxy_manager = self.proxy_manager_for(proxy) + conn = proxy_manager.connection_from_host(**host_params) + else: + # Only scheme should be lower case + conn = self.poolmanager.connection_from_host(**host_params) + + return conn + def get_connection(self, url, proxies=None): """Returns a urllib3 connection for the given URL. This should not be called from user code, and is only exposed for use when subclassing the @@ -385,7 +434,7 @@ class HTTPAdapter(BaseAdapter): :rtype: requests.Response """ - conn = self.get_connection(request.url, proxies) + conn = self._get_connection(request, verify, proxies) self.cert_verify(conn, request.url, verify, cert) url = self.request_url(request, proxies)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor