dev-python/requests: fix CVE-2023-32681
BUG=b/336266224
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2023-32681 in dev-python/requests.
cos-patch: security-moderate
Change-Id: I3d264cf1ac9fe467b6e20b842843c2b2efad1f8a
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/70679
Reviewed-by: Kevin Berry <kpberry@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/dev-python/requests/files/requests-2.24.0-CVE-2023-32681.patch b/dev-python/requests/files/requests-2.24.0-CVE-2023-32681.patch
new file mode 100644
index 0000000..14e45f8
--- /dev/null
+++ b/dev-python/requests/files/requests-2.24.0-CVE-2023-32681.patch
@@ -0,0 +1,59 @@
+From 7a334cc96ee16186e26943d7777bfbefddecaf08 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ requests/sessions.py | 4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index e8e2d609a78d..6e73925ae937 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
+ except KeyError:
+ username, password = None, None
+
+- if username and password:
++ # urllib3 handles proxy authorization for us in the standard adapter.
++ # Avoid appending this to TLS tunneled requests where it may be leaked.
++ if not scheme.startswith('https') and username and password:
+ headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+
+ return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index e730f7648b4d..66ee3f5fdd41 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -551,6 +551,26 @@ class TestRequests:
+ with pytest.raises(InvalidProxyURL):
+ requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})
+
++
++ @pytest.mark.parametrize(
++ "url,has_proxy_auth",
++ (
++ ('http://example.com', True),
++ ('https://example.com', False),
++ ),
++ )
++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++ session = requests.Session()
++ proxies = {
++ 'http': 'http://test:pass@localhost:8080',
++ 'https': 'http://test:pass@localhost:8090',
++ }
++ req = requests.Request('GET', url)
++ prep = req.prepare()
++ session.rebuild_proxies(prep, proxies)
++
++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+ def test_basicauth_with_netrc(self, httpbin):
+ auth = ('user', 'pass')
+ wrong_auth = ('wronguser', 'wrongpass')
+--
+2.44.0.769.g3c40516874-goog
+
diff --git a/dev-python/requests/requests-2.24.0-r2.ebuild b/dev-python/requests/requests-2.24.0-r2.ebuild
new file mode 120000
index 0000000..e03dca5
--- /dev/null
+++ b/dev-python/requests/requests-2.24.0-r2.ebuild
@@ -0,0 +1 @@
+requests-2.24.0.ebuild
\ No newline at end of file
diff --git a/dev-python/requests/requests-2.24.0.ebuild b/dev-python/requests/requests-2.24.0.ebuild
index 544ed07..1088d69 100644
--- a/dev-python/requests/requests-2.24.0.ebuild
+++ b/dev-python/requests/requests-2.24.0.ebuild
@@ -38,6 +38,10 @@
)
"
+PATCHES=(
+ "${FILESDIR}/${PN}-2.24.0-CVE-2023-32681.patch"
+)
+
distutils_enable_tests pytest
src_prepare() {
