summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYogita Urade <yogita.urade@windriver.com>2025-07-03 10:16:28 +0530
committerSteve Sakoman <steve@sakoman.com>2025-07-09 08:23:23 -0700
commit50856ee7a62ac5ef4fda6f3613f0f3f8ec688d79 (patch)
treec33275e1fb77756b1539eb58eb52ecafc756ea94
parenta17ec857dfeca61b7efbaafd6c89cbba69142ddf (diff)
downloadpoky-50856ee7a62ac5ef4fda6f3613f0f3f8ec688d79.tar.gz
python3-urllib3: fix CVE-2025-50181
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-50181 Upstream patch: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 (From OE-Core rev: 574146765ea3f9b36532abf4ebc8bd2976396f0b) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch214
-rw-r--r--meta/recipes-devtools/python/python3-urllib3_1.26.18.bb4
2 files changed, 218 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
new file mode 100644
index 0000000000..61bdcc3e62
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
@@ -0,0 +1,214 @@
1From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001
2From: Illia Volochii <illia.volochii@gmail.com>
3Date: Wed, 18 Jun 2025 16:25:01 +0300
4Subject: [PATCH] Merge commit from fork
5
6* Apply Quentin's suggestion
7
8Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
9
10* Add tests for disabled redirects in the pool manager
11
12* Add a possible fix for the issue with not raised `MaxRetryError`
13
14* Make urllib3 handle redirects instead of JS when JSPI is used
15
16* Fix info in the new comment
17
18* State that redirects with XHR are not controlled by urllib3
19
20* Remove excessive params from new test requests
21
22* Add tests reaching max non-0 redirects
23
24* Test redirects with Emscripten
25
26* Fix `test_merge_pool_kwargs`
27
28* Add a changelog entry
29
30* Parametrize tests
31
32* Drop a fix for Emscripten
33
34* Apply Seth's suggestion to docs
35
36Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
37
38* Use a minor release instead of the patch one
39
40---------
41
42Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
43Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
44
45Changes:
46- skip docs/reference/contrib/emscripten.rst, dummyserver/app.py and
47test/contrib/emscripten/test_emscripten.py files which are not presented.
48
49CVE: CVE-2025-50181
50Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857]
51
52Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
53---
54 src/urllib3/poolmanager.py | 18 +++-
55 test/with_dummyserver/test_poolmanager.py | 101 ++++++++++++++++++++++
56 2 files changed, 118 insertions(+), 1 deletion(-)
57
58diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
59index fb51bf7..a8de7c6 100644
60--- a/src/urllib3/poolmanager.py
61+++ b/src/urllib3/poolmanager.py
62@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
63
64 def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
65 RequestMethods.__init__(self, headers)
66+ if "retries" in connection_pool_kw:
67+ retries = connection_pool_kw["retries"]
68+ if not isinstance(retries, Retry):
69+ # When Retry is initialized, raise_on_redirect is based
70+ # on a redirect boolean value.
71+ # But requests made via a pool manager always set
72+ # redirect to False, and raise_on_redirect always ends
73+ # up being False consequently.
74+ # Here we fix the issue by setting raise_on_redirect to
75+ # a value needed by the pool manager without considering
76+ # the redirect boolean.
77+ raise_on_redirect = retries is not False
78+ retries = Retry.from_int(retries, redirect=False)
79+ retries.raise_on_redirect = raise_on_redirect
80+ connection_pool_kw = connection_pool_kw.copy()
81+ connection_pool_kw["retries"] = retries
82 self.connection_pool_kw = connection_pool_kw
83 self.pools = RecentlyUsedContainer(num_pools)
84
85@@ -389,7 +405,7 @@ class PoolManager(RequestMethods):
86 kw["body"] = None
87 kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
88
89- retries = kw.get("retries")
90+ retries = kw.get("retries", response.retries)
91 if not isinstance(retries, Retry):
92 retries = Retry.from_int(retries, redirect=redirect)
93
94diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
95index 509daf2..f84f169 100644
96--- a/test/with_dummyserver/test_poolmanager.py
97+++ b/test/with_dummyserver/test_poolmanager.py
98@@ -82,6 +82,89 @@ class TestPoolManager(HTTPDummyServerTestCase):
99 assert r.status == 200
100 assert r.data == b"Dummy server!"
101
102+ @pytest.mark.parametrize(
103+ "retries",
104+ (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)),
105+ )
106+ def test_redirects_disabled_for_pool_manager_with_0(
107+ self, retries: typing.Literal[0] | Retry
108+ ) -> None:
109+ """
110+ Check handling redirects when retries is set to 0 on the pool
111+ manager.
112+ """
113+ with PoolManager(retries=retries) as http:
114+ with pytest.raises(MaxRetryError):
115+ http.request("GET", f"{self.base_url}/redirect")
116+
117+ # Setting redirect=True should not change the behavior.
118+ with pytest.raises(MaxRetryError):
119+ http.request("GET", f"{self.base_url}/redirect", redirect=True)
120+
121+ # Setting redirect=False should not make it follow the redirect,
122+ # but MaxRetryError should not be raised.
123+ response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
124+ assert response.status == 303
125+
126+ @pytest.mark.parametrize(
127+ "retries",
128+ (
129+ False,
130+ Retry(total=False),
131+ Retry(redirect=False),
132+ Retry(total=False, redirect=False),
133+ ),
134+ )
135+ def test_redirects_disabled_for_pool_manager_with_false(
136+ self, retries: typing.Literal[False] | Retry
137+ ) -> None:
138+ """
139+ Check that setting retries set to False on the pool manager disables
140+ raising MaxRetryError and redirect=True does not change the
141+ behavior.
142+ """
143+ with PoolManager(retries=retries) as http:
144+ response = http.request("GET", f"{self.base_url}/redirect")
145+ assert response.status == 303
146+
147+ response = http.request("GET", f"{self.base_url}/redirect", redirect=True)
148+ assert response.status == 303
149+
150+ response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
151+ assert response.status == 303
152+
153+ def test_redirects_disabled_for_individual_request(self) -> None:
154+ """
155+ Check handling redirects when they are meant to be disabled
156+ on the request level.
157+ """
158+ with PoolManager() as http:
159+ # Check when redirect is not passed.
160+ with pytest.raises(MaxRetryError):
161+ http.request("GET", f"{self.base_url}/redirect", retries=0)
162+ response = http.request("GET", f"{self.base_url}/redirect", retries=False)
163+ assert response.status == 303
164+
165+ # Check when redirect=True.
166+ with pytest.raises(MaxRetryError):
167+ http.request(
168+ "GET", f"{self.base_url}/redirect", retries=0, redirect=True
169+ )
170+ response = http.request(
171+ "GET", f"{self.base_url}/redirect", retries=False, redirect=True
172+ )
173+ assert response.status == 303
174+
175+ # Check when redirect=False.
176+ response = http.request(
177+ "GET", f"{self.base_url}/redirect", retries=0, redirect=False
178+ )
179+ assert response.status == 303
180+ response = http.request(
181+ "GET", f"{self.base_url}/redirect", retries=False, redirect=False
182+ )
183+ assert response.status == 303
184+
185 def test_cross_host_redirect(self):
186 with PoolManager() as http:
187 cross_host_location = "%s/echo?a=b" % self.base_url_alt
188@@ -136,6 +219,24 @@ class TestPoolManager(HTTPDummyServerTestCase):
189 pool = http.connection_from_host(self.host, self.port)
190 assert pool.num_connections == 1
191
192+ # Check when retries are configured for the pool manager.
193+ with PoolManager(retries=1) as http:
194+ with pytest.raises(MaxRetryError):
195+ http.request(
196+ "GET",
197+ f"{self.base_url}/redirect",
198+ fields={"target": f"/redirect?target={self.base_url}/"},
199+ )
200+
201+ # Here we allow more retries for the request.
202+ response = http.request(
203+ "GET",
204+ f"{self.base_url}/redirect",
205+ fields={"target": f"/redirect?target={self.base_url}/"},
206+ retries=2,
207+ )
208+ assert response.status == 200
209+
210 def test_redirect_cross_host_remove_headers(self):
211 with PoolManager() as http:
212 r = http.request(
213--
2142.40.0
diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
index d384b5eb2f..b26c9ad2fa 100644
--- a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
@@ -7,6 +7,10 @@ SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e32
7 7
8inherit pypi setuptools3 8inherit pypi setuptools3
9 9
10SRC_URI += " \
11 file://CVE-2025-50181.patch \
12"
13
10RDEPENDS:${PN} += "\ 14RDEPENDS:${PN} += "\
11 ${PYTHON_PN}-certifi \ 15 ${PYTHON_PN}-certifi \
12 ${PYTHON_PN}-cryptography \ 16 ${PYTHON_PN}-cryptography \