File CVE-2024-47081.patch of Package python-requests.39137
From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Wed, 25 Sep 2024 08:03:20 -0700
Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
---
requests/utils.py | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
Index: requests-2.25.1/requests/utils.py
===================================================================
--- requests-2.25.1.orig/requests/utils.py
+++ requests-2.25.1/requests/utils.py
@@ -198,13 +198,7 @@ def get_netrc_auth(url, raise_errors=Fal
return
ri = urlparse(url)
-
- # Strip port numbers from netloc. This weird `if...encode`` dance is
- # used for Python 3.2, which doesn't support unicode literals.
- splitstr = b':'
- if isinstance(url, str):
- splitstr = splitstr.decode('ascii')
- host = ri.netloc.split(splitstr)[0]
+ host = ri.hostname
try:
_netrc = netrc(netrc_path).authenticators(host)
Index: requests-2.25.1/tests/test_requests.py
===================================================================
--- requests-2.25.1.orig/tests/test_requests.py
+++ requests-2.25.1/tests/test_requests.py
@@ -604,6 +604,30 @@ class TestRequests:
finally:
requests.sessions.get_netrc_auth = old_auth
+ def test_basicauth_with_netrc_leak(self, httpbin):
+ url1 = httpbin("basic-auth", "user", "pass")
+ url = url1[len("http://") :]
+ domain = url.split(":")[0]
+ url = "http://example.com:@%s" % url
+
+ netrc_file = os.path.expanduser("~/.netrc")
+ with open(netrc_file, "w") as fp:
+ fp.write("machine example.com\n")
+ fp.write("login wronguser\n")
+ fp.write("password wrongpass\n")
+ fp.write("machine %s\n" % domain)
+ fp.write("login user\n")
+ fp.write("password pass\n")
+
+ try:
+ # Should use netrc
+ # Make sure that we don't use the example.com credentails
+ # for the request
+ r = requests.get(url)
+ assert r.status_code == 200
+ finally:
+ os.unlink(netrc_file)
+
def test_DIGEST_HTTP_200_OK_GET(self, httpbin):
for authtype in self.digest_auth_algo:
