python-requests: add patch for CVE-2024-35195

SPECS/python-requests/CVE-2024-35195.patch

@@ -0,0 +1,143 @@
+From c0813a2d910ea6b4f8438b91d315b8d181302356 Mon Sep 17 00:00:00 2001
+From: Ian Stapleton Cordasco <[email protected]>
+Date: Sun, 3 Mar 2024 07:00:49 -0600
+Subject: [PATCH] Use TLS settings in selecting connection pool
+
+Previously, if someone made a request with `verify=False` then made a
+request where they expected verification to be enabled to the same host,
+they would potentially reuse a connection where TLS had not been
+verified.
+
+This fixes that issue.
+---
+ src/requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++-
+ tests/test_requests.py   |  7 +++++
+ tox.ini                  |  2 +-
+ 3 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index fc5606bdcb..6c62766639 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -8,6 +8,7 @@
+
+ import os.path
+ import socket  # noqa: F401
++import typing
+
+ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
+ from urllib3.exceptions import HTTPError as _HTTPError
+@@ -61,12 +62,38 @@ def SOCKSProxyManager(*args, **kwargs):
+         raise InvalidSchema("Missing dependencies for SOCKS support.")
+
+
++if typing.TYPE_CHECKING:
++    from .models import PreparedRequest
++
++
+ DEFAULT_POOLBLOCK = False
+ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+
+
++def _urllib3_request_context(
++    request: "PreparedRequest", verify: "bool | str | None"
++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
++    host_params = {}
++    pool_kwargs = {}
++    parsed_request_url = urlparse(request.url)
++    scheme = parsed_request_url.scheme.lower()
++    port = parsed_request_url.port
++    cert_reqs = "CERT_REQUIRED"
++    if verify is False:
++        cert_reqs = "CERT_NONE"
++    if isinstance(verify, str):
++        pool_kwargs["ca_certs"] = verify
++    pool_kwargs["cert_reqs"] = cert_reqs
++    host_params = {
++        "scheme": scheme,
++        "host": parsed_request_url.hostname,
++        "port": port,
++    }
++    return host_params, pool_kwargs
++
++
+ class BaseAdapter:
+     """The Base Transport Adapter"""
+
+@@ -327,6 +354,35 @@ def build_response(self, req, resp):
+
+         return response
+
++    def _get_connection(self, request, verify, proxies=None):
++        # Replace the existing get_connection without breaking things and
++        # ensure that TLS settings are considered when we interact with
++        # urllib3 HTTP Pools
++        proxy = select_proxy(request.url, proxies)
++        try:
++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++        except ValueError as e:
++            raise InvalidURL(e, request=request)
++        if proxy:
++            proxy = prepend_scheme_if_needed(proxy, "http")
++            proxy_url = parse_url(proxy)
++            if not proxy_url.host:
++                raise InvalidProxyURL(
++                    "Please check proxy URL. It is malformed "
++                    "and could be missing the host."
++                )
++            proxy_manager = self.proxy_manager_for(proxy)
++            conn = proxy_manager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        else:
++            # Only scheme should be lower case
++            conn = self.poolmanager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++
++        return conn
++
+     def get_connection(self, url, proxies=None):
+         """Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+@@ -453,7 +509,7 @@ def send(
+         """
+
+         try:
+-            conn = self.get_connection(request.url, proxies)
++            conn = self._get_connection(request, verify, proxies)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 32b5e6700c..d5cc13c79f 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -2828,6 +2828,13 @@ def test_status_code_425(self):
+         assert r5 == 425
+         assert r6 == 425
+
++    def test_different_connection_pool_for_tls_settings(self):
++        s = requests.Session()
++        r1 = s.get("https://invalid.badssl.com", verify=False)
++        assert r1.status_code == 421
++        with pytest.raises(requests.exceptions.SSLError):
++            s.get("https://invalid.badssl.com")
++
+
+ def test_json_decode_errors_are_serializable_deserializable():
+     json_decode_error = requests.exceptions.JSONDecodeError(
+diff --git a/tox.ini b/tox.ini
+index d2b529e2b9..c438ef316a 100644
+--- a/tox.ini
++++ b/tox.ini
+@@ -7,7 +7,7 @@ extras =
+     security
+     socks
+ commands =
+-    pytest tests
++    pytest {posargs:tests}
+
+ [testenv:default]

SPECS/python-requests/python-requests.spec

@@ -1,13 +1,14 @@
 Summary:        Awesome Python HTTP Library That's Actually Usable
 Name:           python-requests
 Version:        2.31.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages/Python
 URL:            http://python-requests.org
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
+Patch0:         CVE-2024-35195.patch
 BuildArch:      noarch
 
 %description
@@ -71,6 +72,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
 %{python3_sitelib}/*
 
 %changelog
+* Fri Dec 27 2024 Archana Choudhary <[email protected]> - 2.31.0-2
+- Add patch for CVE-2024-35195
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <[email protected]> - 2.31.0-1
 - Auto-upgrade to 2.31.0 - Azure Linux 3.0 - package upgrades