1 files changed, 0 insertions, 118 deletions
diff --git a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch b/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch
deleted file mode 100644
index ef069fb97b..0000000000
--- a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 698c2fa850bfc8b3bdb768e1c1cd6d57e643811d Mon Sep 17 00:00:00 2001
-From: Bruce Merry <bmerry@ska.ac.za>
-Date: Tue, 14 Aug 2018 13:30:43 +0200
-Subject: [PATCH 2/2] Rework authorization stripping logic as discussed
-The exception for http->https upgrade now requires the standard HTTP(S)
-ports to be used, either implicitly (no port specified) or explicitly.
-Upstream-Status: Backport
-Follow-up fix for CVE-2018-18074
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
- requests/sessions.py   | 26 ++++++++++++++++++--------
- tests/test_requests.py | 33 ++++++++++++++++++++++-----------
- 2 files changed, 40 insertions(+), 19 deletions(-)
-diff --git a/requests/sessions.py b/requests/sessions.py
-index 2969d83..c11a3a2 100644
--- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -115,6 +115,22 @@ class SessionRedirectMixin(object):
-             return to_native_string(location, 'utf8')
-         return None
- 
-+    def should_strip_auth(self, old_url, new_url):
-+        """Decide whether Authorization header should be removed when redirecting"""
-+        old_parsed = urlparse(old_url)
-+        new_parsed = urlparse(new_url)
-+        if old_parsed.hostname != new_parsed.hostname:
-+            return True
-+        # Special case: allow http -> https redirect when using the standard
-+        # ports. This isn't specified by RFC 7235, but is kept to avoid
-+        # breaking backwards compatibility with older versions of requests
-+        # that allowed any redirects on the same host.
-+        if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
-+                and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
-+            return False
-+        # Standard case: root URI must match
-+        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
-+
-     def resolve_redirects(self, resp, req, stream=False, timeout=None,
-                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
-         """Receives a Response. Returns a generator of Responses or Requests."""
-@@ -236,16 +252,10 @@ class SessionRedirectMixin(object):
-         headers = prepared_request.headers
-         url = prepared_request.url
- 
-        if 'Authorization' in headers:
-+        if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
-             # If we get redirected to a new host, we should strip out any
-             # authentication headers.
-            original_parsed = urlparse(response.request.url)
-            redirect_parsed = urlparse(url)
-
-            if (original_parsed.hostname != redirect_parsed.hostname
-                    or original_parsed.port != redirect_parsed.port
-                    or original_parsed.scheme != redirect_parsed.scheme):
-                del headers['Authorization']
-+            del headers['Authorization']
- 
-         # .netrc might have more auth for us on our new host.
-         new_auth = get_netrc_auth(url) if self.trust_env else None
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index e0e801a..148067b 100644
--- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -1567,17 +1567,7 @@ class TestRequests:
-             preq = req.prepare()
-             assert test_url == preq.url
- 
-    @pytest.mark.xfail(raises=ConnectionError)
-    def test_auth_is_stripped_on_redirect_off_host(self, httpbin):
-        r = requests.get(
-            httpbin('redirect-to'),
-            params={'url': 'http://www.google.co.uk'},
-            auth=('user', 'pass'),
-        )
-        assert r.history[0].request.headers['Authorization']
-        assert 'Authorization' not in r.request.headers
-
-    def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle):
-+    def test_auth_is_stripped_on_http_downgrade(self, httpbin, httpbin_secure, httpbin_ca_bundle):
-         r = requests.get(
-             httpbin_secure('redirect-to'),
-             params={'url': httpbin('get')},
-@@ -1594,6 +1584,27 @@ class TestRequests:
- 
-         assert h1 == h2
- 
-+    def test_should_strip_auth_host_change(self):
-+        s = requests.Session()
-+        assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/')
-+
-+    def test_should_strip_auth_http_downgrade(self):
-+        s = requests.Session()
-+        assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar')
-+
-+    def test_should_strip_auth_https_upgrade(self):
-+        s = requests.Session()
-+        assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar')
-+        assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar')
-+        assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar')
-+        # Non-standard ports should trigger stripping
-+        assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar')
-+        assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar')
-+
-+    def test_should_strip_auth_port_change(self):
-+        s = requests.Session()
-+        assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
-+
-     def test_manual_redirect_with_partial_body_read(self, httpbin):
-         s = requests.Session()
-         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
-- 
-2.7.4

diff --git a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch b/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch deleted file mode 100644 index ef069fb97b..0000000000 --- a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch +++ /dev/null
@@ -1,118 +0,0 @@
1	From 698c2fa850bfc8b3bdb768e1c1cd6d57e643811d Mon Sep 17 00:00:00 2001
2	From: Bruce Merry <bmerry@ska.ac.za>
3	Date: Tue, 14 Aug 2018 13:30:43 +0200
4	Subject: [PATCH 2/2] Rework authorization stripping logic as discussed
5
6	The exception for http->https upgrade now requires the standard HTTP(S)
7	ports to be used, either implicitly (no port specified) or explicitly.
8
9	Upstream-Status: Backport
10
11	Follow-up fix for CVE-2018-18074
12
13	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
14	---
15	requests/sessions.py \| 26 ++++++++++++++++++--------
16	tests/test_requests.py \| 33 ++++++++++++++++++++++-----------
17	2 files changed, 40 insertions(+), 19 deletions(-)
18
19	diff --git a/requests/sessions.py b/requests/sessions.py
20	index 2969d83..c11a3a2 100644
21	--- a/requests/sessions.py
22	+++ b/requests/sessions.py
23	@@ -115,6 +115,22 @@ class SessionRedirectMixin(object):
24	return to_native_string(location, 'utf8')
25	return None
26
27	+ def should_strip_auth(self, old_url, new_url):
28	+ """Decide whether Authorization header should be removed when redirecting"""
29	+ old_parsed = urlparse(old_url)
30	+ new_parsed = urlparse(new_url)
31	+ if old_parsed.hostname != new_parsed.hostname:
32	+ return True
33	+ # Special case: allow http -> https redirect when using the standard
34	+ # ports. This isn't specified by RFC 7235, but is kept to avoid
35	+ # breaking backwards compatibility with older versions of requests
36	+ # that allowed any redirects on the same host.
37	+ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
38	+ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
39	+ return False
40	+ # Standard case: root URI must match
41	+ return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
42	+
43	def resolve_redirects(self, resp, req, stream=False, timeout=None,
44	verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
45	"""Receives a Response. Returns a generator of Responses or Requests."""
46	@@ -236,16 +252,10 @@ class SessionRedirectMixin(object):
47	headers = prepared_request.headers
48	url = prepared_request.url
49
50	- if 'Authorization' in headers:
51	+ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
52	# If we get redirected to a new host, we should strip out any
53	# authentication headers.
54	- original_parsed = urlparse(response.request.url)
55	- redirect_parsed = urlparse(url)
56	-
57	- if (original_parsed.hostname != redirect_parsed.hostname
58	- or original_parsed.port != redirect_parsed.port
59	- or original_parsed.scheme != redirect_parsed.scheme):
60	- del headers['Authorization']
61	+ del headers['Authorization']
62
63	# .netrc might have more auth for us on our new host.
64	new_auth = get_netrc_auth(url) if self.trust_env else None
65	diff --git a/tests/test_requests.py b/tests/test_requests.py
66	index e0e801a..148067b 100644
67	--- a/tests/test_requests.py
68	+++ b/tests/test_requests.py
69	@@ -1567,17 +1567,7 @@ class TestRequests:
70	preq = req.prepare()
71	assert test_url == preq.url
72
73	- @pytest.mark.xfail(raises=ConnectionError)
74	- def test_auth_is_stripped_on_redirect_off_host(self, httpbin):
75	- r = requests.get(
76	- httpbin('redirect-to'),
77	- params={'url': 'http://www.google.co.uk'},
78	- auth=('user', 'pass'),
79	- )
80	- assert r.history[0].request.headers['Authorization']
81	- assert 'Authorization' not in r.request.headers
82	-
83	- def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle):
84	+ def test_auth_is_stripped_on_http_downgrade(self, httpbin, httpbin_secure, httpbin_ca_bundle):
85	r = requests.get(
86	httpbin_secure('redirect-to'),
87	params={'url': httpbin('get')},
88	@@ -1594,6 +1584,27 @@ class TestRequests:
89
90	assert h1 == h2
91
92	+ def test_should_strip_auth_host_change(self):
93	+ s = requests.Session()
94	+ assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/')
95	+
96	+ def test_should_strip_auth_http_downgrade(self):
97	+ s = requests.Session()
98	+ assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar')
99	+
100	+ def test_should_strip_auth_https_upgrade(self):
101	+ s = requests.Session()
102	+ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar')
103	+ assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar')
104	+ assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar')
105	+ # Non-standard ports should trigger stripping
106	+ assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar')
107	+ assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar')
108	+
109	+ def test_should_strip_auth_port_change(self):
110	+ s = requests.Session()
111	+ assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
112	+
113	def test_manual_redirect_with_partial_body_read(self, httpbin):
114	s = requests.Session()
115	r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
116	--
117	2.7.4
118