File _service:tar_scm:backport-CVE-2021-28363.patch of Package python-urllib3

From 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 Mon Sep 17 00:00:00 2001
From: Jorge <JALopezSilva@gmail.com>
Date: Mon, 15 Mar 2021 06:49:49 -0700
Subject: [PATCH] Merge pull request from GHSA-5phf-pp7p-vc2r

* Enable hostname verification for HTTPS proxies with default cert.

Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>

* Adjust exception check for Python 3.9+

Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>

* Use a SAN instead of a common name.

Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
---
 src/urllib3/connection.py                     |  4 ++++
 test/conftest.py                              | 11 ++++++++++
 .../test_proxy_poolmanager.py                 | 20 +++++++++++++++++++
 3 files changed, 35 insertions(+)

diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
index 60f70f7..f59f29b 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -495,6 +495,10 @@ class HTTPSConnection(HTTPConnection):
             self.ca_cert_dir,
             self.ca_cert_data,
         )
+        # By default urllib3's SSLContext disables `check_hostname` and uses
+        # a custom check. For proxies we're good with relying on the default
+        # verification.
+        ssl_context.check_hostname = True
 
         # If no cert was provided, use only the default options for server
         # certificate validation
diff --git a/test/conftest.py b/test/conftest.py
index 10c3a54..d4bbd97 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -103,6 +103,17 @@ def no_san_server(tmp_path_factory):
         yield cfg
 
 
+@pytest.fixture
+def no_localhost_san_server(tmp_path_factory):
+    tmpdir = tmp_path_factory.mktemp("certs")
+    ca = trustme.CA()
+    # non localhost common name
+    server_cert = ca.issue_cert(u"example.com")
+
+    with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg:
+        yield cfg
+
+
 @pytest.fixture
 def no_san_proxy(tmp_path_factory):
     tmpdir = tmp_path_factory.mktemp("certs")
diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
index d5e91a0..0f8df60 100644
--- a/test/with_dummyserver/test_proxy_poolmanager.py
+++ b/test/with_dummyserver/test_proxy_poolmanager.py
@@ -565,6 +565,26 @@ class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase):
             r = http.request("GET", "%s/" % self.https_url)
             assert r.status == 200
 
+class TestHTTPSProxyVerification:
+    @onlyPy3
+    def test_https_proxy_hostname_verification(self, no_localhost_san_server):
+        bad_server = no_localhost_san_server
+        bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port)
+
+        # An exception will be raised before we contact the destination domain.
+        test_url = "testing.com"
+        with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https:
+            with pytest.raises(MaxRetryError) as e:
+                https.request("GET", "http://%s/" % test_url)
+            assert isinstance(e.value.reason, SSLError)
+            assert "hostname 'localhost' doesn't match" in str(e.value.reason)
+
+            with pytest.raises(MaxRetryError) as e:
+                https.request("GET", "https://%s/" % test_url)
+            assert isinstance(e.value.reason, SSLError)
+            assert "hostname 'localhost' doesn't match" in str(
+                e.value.reason
+            ) or "Hostname mismatch" in str(e.value.reason)
 
 class TestHTTPSProxyVerification:
     @onlyPy3
-- 
2.27.0