Projects
Mega:23.03
python-urllib3
_service:tar_scm:backport-CVE-2021-28363.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2021-28363.patch of Package python-urllib3
From 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 Mon Sep 17 00:00:00 2001 From: Jorge <JALopezSilva@gmail.com> Date: Mon, 15 Mar 2021 06:49:49 -0700 Subject: [PATCH] Merge pull request from GHSA-5phf-pp7p-vc2r * Enable hostname verification for HTTPS proxies with default cert. Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com> * Adjust exception check for Python 3.9+ Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com> * Use a SAN instead of a common name. Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com> --- src/urllib3/connection.py | 4 ++++ test/conftest.py | 11 ++++++++++ .../test_proxy_poolmanager.py | 20 +++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py index 60f70f7..f59f29b 100644 --- a/src/urllib3/connection.py +++ b/src/urllib3/connection.py @@ -495,6 +495,10 @@ class HTTPSConnection(HTTPConnection): self.ca_cert_dir, self.ca_cert_data, ) + # By default urllib3's SSLContext disables `check_hostname` and uses + # a custom check. For proxies we're good with relying on the default + # verification. + ssl_context.check_hostname = True # If no cert was provided, use only the default options for server # certificate validation diff --git a/test/conftest.py b/test/conftest.py index 10c3a54..d4bbd97 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -103,6 +103,17 @@ def no_san_server(tmp_path_factory): yield cfg +@pytest.fixture +def no_localhost_san_server(tmp_path_factory): + tmpdir = tmp_path_factory.mktemp("certs") + ca = trustme.CA() + # non localhost common name + server_cert = ca.issue_cert(u"example.com") + + with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg: + yield cfg + + @pytest.fixture def no_san_proxy(tmp_path_factory): tmpdir = tmp_path_factory.mktemp("certs") diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py index d5e91a0..0f8df60 100644 --- a/test/with_dummyserver/test_proxy_poolmanager.py +++ b/test/with_dummyserver/test_proxy_poolmanager.py @@ -565,6 +565,26 @@ class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase): r = http.request("GET", "%s/" % self.https_url) assert r.status == 200 +class TestHTTPSProxyVerification: + @onlyPy3 + def test_https_proxy_hostname_verification(self, no_localhost_san_server): + bad_server = no_localhost_san_server + bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port) + + # An exception will be raised before we contact the destination domain. + test_url = "testing.com" + with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https: + with pytest.raises(MaxRetryError) as e: + https.request("GET", "http://%s/" % test_url) + assert isinstance(e.value.reason, SSLError) + assert "hostname 'localhost' doesn't match" in str(e.value.reason) + + with pytest.raises(MaxRetryError) as e: + https.request("GET", "https://%s/" % test_url) + assert isinstance(e.value.reason, SSLError) + assert "hostname 'localhost' doesn't match" in str( + e.value.reason + ) or "Hostname mismatch" in str(e.value.reason) class TestHTTPSProxyVerification: @onlyPy3 -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2