Overview

File CVE-2026-21441.patch of Package python-urllib3_1

From 8864ac407bba8607950025e0979c4c69bc7abc7b Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Wed, 7 Jan 2026 18:07:30 +0200
Subject: [PATCH] Merge commit from fork

* Stop decoding response content during redirects needlessly

* Rename the new query parameter

* Add a changelog entry
---
 CHANGES.rst                                  | 13 +++++++++++++
 dummyserver/app.py                           |  8 +++++++-
 src/urllib3/response.py                      |  6 +++++-
 test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++
 4 files changed, 44 insertions(+), 2 deletions(-)

Index: urllib3-1.26.20/src/urllib3/response.py
===================================================================
--- urllib3-1.26.20.orig/src/urllib3/response.py
+++ urllib3-1.26.20/src/urllib3/response.py
@@ -476,7 +476,11 @@ class HTTPResponse(io.IOBase):
         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
         """
         try:
-            self.read()
+            self.read(
+                # Do not spend resources decoding the content unless
+                # decoding has already been initialized.
+                decode_content=self._has_decoded_content,
+            )
         except (HTTPError, SocketError, BaseSSLError, HTTPException):
             pass
 
Index: urllib3-1.26.20/test/with_dummyserver/test_connectionpool.py
===================================================================
--- urllib3-1.26.20.orig/test/with_dummyserver/test_connectionpool.py
+++ urllib3-1.26.20/test/with_dummyserver/test_connectionpool.py
@@ -467,6 +467,25 @@ class TestConnectionPool(HTTPDummyServer
             assert r.status == 200
             assert r.data == b"Dummy server!"
 
+    @mock.patch("urllib3.response.GzipDecoder.decompress")
+    def test_no_decoding_with_redirect_when_preload_disabled(
+        self, gzip_decompress
+    ):
+        """
+        Test that urllib3 does not attempt to decode a gzipped redirect
+        response when `preload_content` is set to `False`.
+        """
+        with HTTPConnectionPool(self.host, self.port) as pool:
+            # Three requests are expected: two redirects and one final / 200 OK.
+            response = pool.request(
+                "GET",
+                "/redirect",
+                fields={"target": "/redirect?compressed=true", "compressed": "true"},
+                preload_content=False,
+            )
+        assert response.status == 200
+        gzip_decompress.assert_not_called()
+
     def test_303_redirect_makes_request_lose_body(self):
         with HTTPConnectionPool(self.host, self.port) as pool:
             response = pool.request(
openSUSE Build Service is sponsored by
Places