File CVE-2024-37891.patch of Package python-urllib3.36699

From 40b6d1605814dd1db0a46e202d6e56f2e4c9a468 Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf

* [1.26] Strip Proxy-Authorization header on redirects

* Set release date
---
 CHANGES.rst                               |  5 +++++
 src/urllib3/util/retry.py                 |  4 +++-
 test/test_retry.py                        |  6 +++++-
 test/test_retry_deprecated.py             |  6 +++++-
 test/with_dummyserver/test_poolmanager.py | 26 ++++++++++++++++++++---
 5 files changed, 41 insertions(+), 6 deletions(-)

Index: urllib3-1.25.10/src/urllib3/util/retry.py
===================================================================
--- urllib3-1.25.10.orig/src/urllib3/util/retry.py
+++ urllib3-1.25.10/src/urllib3/util/retry.py
@@ -154,7 +154,7 @@ class Retry(object):
 
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie", "Authorization", "Proxy-Authorization"])
 
     #: Maximum backoff time.
     BACKOFF_MAX = 120
Index: urllib3-1.25.10/test/test_retry.py
===================================================================
--- urllib3-1.25.10.orig/test/test_retry.py
+++ urllib3-1.25.10/test/test_retry.py
@@ -270,7 +270,7 @@ class TestRetry(object):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert sorted(list(retry.remove_headers_on_redirect)) == sorted(["authorization", "cookie"])
+        assert sorted(list(retry.remove_headers_on_redirect)) == sorted(["authorization","proxy-authorization", "cookie"])
 
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])