File CVE-2020-26116-CRLF-injection.patch of Package python-urllib3

From d126a7654af03df4ec26ab1be4614279d6c1fec5 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Wed, 12 Feb 2020 20:03:54 -0600
Subject: [PATCH 1/4] Raise ValueError if method contains control characters

---
 CHANGES.rst                                  |    3 +++
 test/with_dummyserver/test_connectionpool.py |   14 +++++++++++---
 test/with_dummyserver/test_poolmanager.py    |    2 +-
 urllib3/connection.py                        |   16 +++++++++++++++-
 4 files changed, 30 insertions(+), 5 deletions(-)

--- a/urllib3/connection.py
+++ b/urllib3/connection.py
@@ -59,7 +59,7 @@ port_by_scheme = {
 
 # When it comes time to update this value as a part of regular maintenance
 # (ie test_recent_date is failing) update it to ~6 months before the current date.
-RECENT_DATE = datetime.date(2019, 1, 1)
+RECENT_DATE = datetime.date(2021, 1, 1)
 
 _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
 
--- a/test/with_dummyserver/test_connectionpool.py
+++ b/test/with_dummyserver/test_connectionpool.py
@@ -5,7 +5,6 @@ import sys
 import unittest
 import time
 import warnings
-import pytest
 
 import mock
 
@@ -23,11 +22,13 @@ from urllib3.exceptions import (
     DecodeError,
     MaxRetryError,
     ReadTimeoutError,
+    ProtocolError,
     NewConnectionError,
     UnrewindableBodyError,
 )
 from urllib3.packages.six import b, u
 from urllib3.packages.six.moves.urllib.parse import urlencode
+from urllib3.packages.six.moves.http_client import InvalidURL
 from urllib3.util.retry import Retry, RequestHistory
 from urllib3.util.timeout import Timeout
 
@@ -659,8 +660,9 @@ class TestConnectionPool(HTTPDummyServer
 
     def test_invalid_method_not_allowed(self):
         for char in [" ", "\r", "\n", "\x00"]:
-            pool = HTTPConnectionPool(self.host, self.port)
-            self.assertRaises(ValueError, pool.request, 'GET' + char, '/')
+            with self.assertRaises(ValueError):
+                with HTTPConnectionPool(self.host, self.port) as pool:
+                    pool.request("GET" + char, "/")
 
     def test_source_address(self):
         for addr, is_ipv6 in VALID_SOURCE_ADDRESSES:
@@ -678,9 +680,8 @@ class TestConnectionPool(HTTPDummyServer
         for addr in INVALID_SOURCE_ADDRESSES:
             pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False)
             # FIXME: This assert flakes sometimes. Not sure why.
-            self.assertRaises(NewConnectionError,
-                              pool.request,
-                              'GET', '/source_address?{0}'.format(addr).replace(' ', '%20'))
+            with self.assertRaises((InvalidURL, ProtocolError)):
+                pool.request('GET', '/source_address?{0}'.format(addr))
 
     def test_stream_keepalive(self):
         x = 2
@@ -708,7 +709,7 @@ class TestConnectionPool(HTTPDummyServer
             preload_content=False
         )
         response.read()
-        with pytest.raises(StopIteration):
+        with self.assertRaises(StopIteration):
             next(response.read_chunked())
 
     def test_read_chunked_on_closed_response(self):
@@ -718,7 +719,7 @@ class TestConnectionPool(HTTPDummyServer
             preload_content=False
         )
         response.close()
-        with pytest.raises(StopIteration):
+        with self.assertRaises(StopIteration):
             next(response.read_chunked())
 
     def test_chunked_gzip(self):
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,9 @@ Changes
 1.23 (2018-06-04)
 -----------------
 
+* Raise ``ValueError`` if control characters are given in
+  the ``method`` parameter of ``HTTPConnection.request()`` (Pull #1800)
+
 * Allow providing a list of headers to strip from requests when redirecting
   to a different host. Defaults to the ``Authorization`` header. Different
   headers can be set via ``Retry.remove_headers_on_redirect``. (Issue #1316)
openSUSE Build Service is sponsored by