aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRicardo Salveti <ricardo@foundries.io>2019-02-15 19:51:17 -0200
committerKhem Raj <raj.khem@gmail.com>2019-02-17 12:21:27 -0800
commitf357a80861377a7256cf7c0693e6f0c6e1ebe4cf (patch)
tree76c6d394cdf72bf90aebeee04ddf95557a254281
parent293fac92416b0bea72549159b2050ccde573d12d (diff)
downloadmeta-openembedded-contrib-f357a80861377a7256cf7c0693e6f0c6e1ebe4cf.tar.gz
meta-openembedded-contrib-f357a80861377a7256cf7c0693e6f0c6e1ebe4cf.tar.bz2
meta-openembedded-contrib-f357a80861377a7256cf7c0693e6f0c6e1ebe4cf.zip
python-requests: update to version 2.20.1
Drop patches as they were backports which are now available as part of this release. License checksum changed but the license is the same (license address changed from http to https). Signed-off-by: Ricardo Salveti <ricardo@foundries.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r--meta-python/recipes-devtools/python/python-requests.inc10
-rw-r--r--meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch62
-rw-r--r--meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch118
-rw-r--r--meta-python/recipes-devtools/python/python-requests_2.20.1.bb (renamed from meta-python/recipes-devtools/python/python-requests_2.19.1.bb)0
-rw-r--r--meta-python/recipes-devtools/python/python3-requests_2.20.1.bb (renamed from meta-python/recipes-devtools/python/python3-requests_2.19.1.bb)0
5 files changed, 3 insertions, 187 deletions
diff --git a/meta-python/recipes-devtools/python/python-requests.inc b/meta-python/recipes-devtools/python/python-requests.inc
index 301c2f82ff..0401ee448d 100644
--- a/meta-python/recipes-devtools/python/python-requests.inc
+++ b/meta-python/recipes-devtools/python/python-requests.inc
@@ -1,16 +1,12 @@
DESCRIPTION = "Python HTTP for Humans."
HOMEPAGE = "http://python-requests.org"
LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=bfbeafb85a2cee261510d65d5ec19156"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=a8d5a1d1c2d53025e2282c511033f6f7"
FILESEXTRAPATHS_prepend := "${THISDIR}/python-requests:"
-SRC_URI += "file://0001-Strip-Authorization-header-whenever-root-URL-changes.patch \
- file://0002-Rework-authorization-stripping-logic-as-discussed.patch \
- "
-
-SRC_URI[md5sum] = "6c1a31afec9d614e2e71a91ee6ca2878"
-SRC_URI[sha256sum] = "ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a"
+SRC_URI[md5sum] = "2918817ea4688f4ea21cb4b11e353448"
+SRC_URI[sha256sum] = "ea881206e59f41dbd0bd445437d792e43906703fff75ca8ff43ccdb11f33f263"
inherit pypi
diff --git a/meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch b/meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch
deleted file mode 100644
index 80ef5ffb16..0000000000
--- a/meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From fb0d391138df48e93c44a2087ea796cca5e229c0 Mon Sep 17 00:00:00 2001
-From: Bruce Merry <bmerry@ska.ac.za>
-Date: Thu, 28 Jun 2018 16:38:42 +0200
-Subject: [PATCH 1/2] Strip Authorization header whenever root URL changes
-
-Previously the header was stripped only if the hostname changed, but in
-an https -> http redirect that can leak the credentials on the wire
-(#4716). Based on with RFC 7235 section 2.2, the header is now stripped
-if the "canonical root URL" (scheme+authority) has changed, by checking
-scheme, hostname and port.
-
-Upstream-Status: Backport
-
-Fix CVE-2018-18074
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- requests/sessions.py | 4 +++-
- tests/test_requests.py | 12 +++++++++++-
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/requests/sessions.py b/requests/sessions.py
-index ba13526..2969d83 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -242,7 +242,9 @@ class SessionRedirectMixin(object):
- original_parsed = urlparse(response.request.url)
- redirect_parsed = urlparse(url)
-
-- if (original_parsed.hostname != redirect_parsed.hostname):
-+ if (original_parsed.hostname != redirect_parsed.hostname
-+ or original_parsed.port != redirect_parsed.port
-+ or original_parsed.scheme != redirect_parsed.scheme):
- del headers['Authorization']
-
- # .netrc might have more auth for us on our new host.
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index fcddb1d..e0e801a 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1575,7 +1575,17 @@ class TestRequests:
- auth=('user', 'pass'),
- )
- assert r.history[0].request.headers['Authorization']
-- assert not r.request.headers.get('Authorization', '')
-+ assert 'Authorization' not in r.request.headers
-+
-+ def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle):
-+ r = requests.get(
-+ httpbin_secure('redirect-to'),
-+ params={'url': httpbin('get')},
-+ auth=('user', 'pass'),
-+ verify=httpbin_ca_bundle
-+ )
-+ assert r.history[0].request.headers['Authorization']
-+ assert 'Authorization' not in r.request.headers
-
- def test_auth_is_retained_for_redirect_on_host(self, httpbin):
- r = requests.get(httpbin('redirect/1'), auth=('user', 'pass'))
---
-2.7.4
-
diff --git a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch b/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch
deleted file mode 100644
index ef069fb97b..0000000000
--- a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 698c2fa850bfc8b3bdb768e1c1cd6d57e643811d Mon Sep 17 00:00:00 2001
-From: Bruce Merry <bmerry@ska.ac.za>
-Date: Tue, 14 Aug 2018 13:30:43 +0200
-Subject: [PATCH 2/2] Rework authorization stripping logic as discussed
-
-The exception for http->https upgrade now requires the standard HTTP(S)
-ports to be used, either implicitly (no port specified) or explicitly.
-
-Upstream-Status: Backport
-
-Follow-up fix for CVE-2018-18074
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- requests/sessions.py | 26 ++++++++++++++++++--------
- tests/test_requests.py | 33 ++++++++++++++++++++++-----------
- 2 files changed, 40 insertions(+), 19 deletions(-)
-
-diff --git a/requests/sessions.py b/requests/sessions.py
-index 2969d83..c11a3a2 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -115,6 +115,22 @@ class SessionRedirectMixin(object):
- return to_native_string(location, 'utf8')
- return None
-
-+ def should_strip_auth(self, old_url, new_url):
-+ """Decide whether Authorization header should be removed when redirecting"""
-+ old_parsed = urlparse(old_url)
-+ new_parsed = urlparse(new_url)
-+ if old_parsed.hostname != new_parsed.hostname:
-+ return True
-+ # Special case: allow http -> https redirect when using the standard
-+ # ports. This isn't specified by RFC 7235, but is kept to avoid
-+ # breaking backwards compatibility with older versions of requests
-+ # that allowed any redirects on the same host.
-+ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
-+ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
-+ return False
-+ # Standard case: root URI must match
-+ return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
-+
- def resolve_redirects(self, resp, req, stream=False, timeout=None,
- verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
- """Receives a Response. Returns a generator of Responses or Requests."""
-@@ -236,16 +252,10 @@ class SessionRedirectMixin(object):
- headers = prepared_request.headers
- url = prepared_request.url
-
-- if 'Authorization' in headers:
-+ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
- # If we get redirected to a new host, we should strip out any
- # authentication headers.
-- original_parsed = urlparse(response.request.url)
-- redirect_parsed = urlparse(url)
--
-- if (original_parsed.hostname != redirect_parsed.hostname
-- or original_parsed.port != redirect_parsed.port
-- or original_parsed.scheme != redirect_parsed.scheme):
-- del headers['Authorization']
-+ del headers['Authorization']
-
- # .netrc might have more auth for us on our new host.
- new_auth = get_netrc_auth(url) if self.trust_env else None
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index e0e801a..148067b 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1567,17 +1567,7 @@ class TestRequests:
- preq = req.prepare()
- assert test_url == preq.url
-
-- @pytest.mark.xfail(raises=ConnectionError)
-- def test_auth_is_stripped_on_redirect_off_host(self, httpbin):
-- r = requests.get(
-- httpbin('redirect-to'),
-- params={'url': 'http://www.google.co.uk'},
-- auth=('user', 'pass'),
-- )
-- assert r.history[0].request.headers['Authorization']
-- assert 'Authorization' not in r.request.headers
--
-- def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle):
-+ def test_auth_is_stripped_on_http_downgrade(self, httpbin, httpbin_secure, httpbin_ca_bundle):
- r = requests.get(
- httpbin_secure('redirect-to'),
- params={'url': httpbin('get')},
-@@ -1594,6 +1584,27 @@ class TestRequests:
-
- assert h1 == h2
-
-+ def test_should_strip_auth_host_change(self):
-+ s = requests.Session()
-+ assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/')
-+
-+ def test_should_strip_auth_http_downgrade(self):
-+ s = requests.Session()
-+ assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar')
-+
-+ def test_should_strip_auth_https_upgrade(self):
-+ s = requests.Session()
-+ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar')
-+ assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar')
-+ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar')
-+ # Non-standard ports should trigger stripping
-+ assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar')
-+ assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar')
-+
-+ def test_should_strip_auth_port_change(self):
-+ s = requests.Session()
-+ assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
-+
- def test_manual_redirect_with_partial_body_read(self, httpbin):
- s = requests.Session()
- r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
---
-2.7.4
-
diff --git a/meta-python/recipes-devtools/python/python-requests_2.19.1.bb b/meta-python/recipes-devtools/python/python-requests_2.20.1.bb
index 0d7a29f745..0d7a29f745 100644
--- a/meta-python/recipes-devtools/python/python-requests_2.19.1.bb
+++ b/meta-python/recipes-devtools/python/python-requests_2.20.1.bb
diff --git a/meta-python/recipes-devtools/python/python3-requests_2.19.1.bb b/meta-python/recipes-devtools/python/python3-requests_2.20.1.bb
index 0a2410f85c..0a2410f85c 100644
--- a/meta-python/recipes-devtools/python/python3-requests_2.19.1.bb
+++ b/meta-python/recipes-devtools/python/python3-requests_2.20.1.bb