Overview

File CVE-2024-37891.patch of Package python-urllib3_1.36701

From 40b6d1605814dd1db0a46e202d6e56f2e4c9a468 Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf

* [1.26] Strip Proxy-Authorization header on redirects

* Set release date
---
 CHANGES.rst                               |  5 +++++
 src/urllib3/util/retry.py                 |  4 +++-
 test/test_retry.py                        |  6 +++++-
 test/test_retry_deprecated.py             |  6 +++++-
 test/with_dummyserver/test_poolmanager.py | 26 ++++++++++++++++++++---
 5 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 3a0a4f0a2d..22af7e3d33 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,11 @@
 Changes
 =======
 
+1.26.19 (2024-06-17)
+==================
+
+- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
+
 1.26.18 (2023-10-17)
 --------------------
 
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 60ef6c4f3f..9a1e90d0b2 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -235,7 +235,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
     #: Default headers to be used for ``remove_headers_on_redirect``
-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
 
     #: Maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index 95a33e7461..36477145f5 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -293,7 +293,11 @@ def test_retry_method_not_in_whitelist(self):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
 
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
index 5133a51afa..e3b69e778f 100644
--- a/test/test_retry_deprecated.py
+++ b/test/test_retry_deprecated.py
@@ -295,7 +295,11 @@ def test_retry_method_not_in_whitelist(self):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
 
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
openSUSE Build Service is sponsored by
Places