dev-python/requests/files/requests-2.24.0-CVE-2023-32681.patch - third_party/overlays/portage-stable - Git at Google

 From 7a334cc96ee16186e26943d7777bfbefddecaf08 Mon Sep 17 00:00:00 2001
 From: Nate Prewitt <nate.prewitt@gmail.com>
 Date: Mon, 22 May 2023 08:08:57 -0700
 Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q

 ---
  requests/sessions.py   |  4 +++-
  tests/test_requests.py | 20 ++++++++++++++++++++
  2 files changed, 23 insertions(+), 1 deletion(-)

 diff --git a/requests/sessions.py b/requests/sessions.py
 index e8e2d609a78d..6e73925ae937 100644
 --- a/requests/sessions.py
 +++ b/requests/sessions.py
 @@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
          except KeyError:
              username, password = None, None

 -        if username and password:
 +        # urllib3 handles proxy authorization for us in the standard adapter.
 +        # Avoid appending this to TLS tunneled requests where it may be leaked.
 +        if not scheme.startswith('https') and username and password:
              headers['Proxy-Authorization'] = _basic_auth_str(username, password)

          return new_proxies
 diff --git a/tests/test_requests.py b/tests/test_requests.py
 index e730f7648b4d..66ee3f5fdd41 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
 @@ -551,6 +551,26 @@ class TestRequests:
          with pytest.raises(InvalidProxyURL):
              requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})

 +
 +    @pytest.mark.parametrize(
 +        "url,has_proxy_auth",
 +        (
 +            ('http://example.com', True),
 +            ('https://example.com', False),
 +        ),
 +    )
 +    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
 +        session = requests.Session()
 +        proxies = {
 +            'http': 'http://test:pass@localhost:8080',
 +            'https': 'http://test:pass@localhost:8090',
 +        }
 +        req = requests.Request('GET', url)
 +        prep = req.prepare()
 +        session.rebuild_proxies(prep, proxies)
 +
 +        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
 +
      def test_basicauth_with_netrc(self, httpbin):
          auth = ('user', 'pass')
          wrong_auth = ('wronguser', 'wrongpass')
 --
 2.44.0.769.g3c40516874-goog
	From 7a334cc96ee16186e26943d7777bfbefddecaf08 Mon Sep 17 00:00:00 2001
	From: Nate Prewitt <nate.prewitt@gmail.com>
	Date: Mon, 22 May 2023 08:08:57 -0700
	Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q

	---
	requests/sessions.py \| 4 +++-
	tests/test_requests.py \| 20 ++++++++++++++++++++
	2 files changed, 23 insertions(+), 1 deletion(-)

	diff --git a/requests/sessions.py b/requests/sessions.py
	index e8e2d609a78d..6e73925ae937 100644
	--- a/requests/sessions.py
	+++ b/requests/sessions.py
	@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
	except KeyError:
	username, password = None, None

	- if username and password:
	+ # urllib3 handles proxy authorization for us in the standard adapter.
	+ # Avoid appending this to TLS tunneled requests where it may be leaked.
	+ if not scheme.startswith('https') and username and password:
	headers['Proxy-Authorization'] = _basic_auth_str(username, password)

	return new_proxies
	diff --git a/tests/test_requests.py b/tests/test_requests.py
	index e730f7648b4d..66ee3f5fdd41 100644
	--- a/tests/test_requests.py
	+++ b/tests/test_requests.py
	@@ -551,6 +551,26 @@ class TestRequests:
	with pytest.raises(InvalidProxyURL):
	requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})

	+
	+ @pytest.mark.parametrize(
	+ "url,has_proxy_auth",
	+ (
	+ ('http://example.com', True),
	+ ('https://example.com', False),
	+ ),
	+ )
	+ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
	+ session = requests.Session()
	+ proxies = {
	+ 'http': 'http://test:pass@localhost:8080',
	+ 'https': 'http://test:pass@localhost:8090',
	+ }
	+ req = requests.Request('GET', url)
	+ prep = req.prepare()
	+ session.rebuild_proxies(prep, proxies)
	+
	+ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
	+
	def test_basicauth_with_netrc(self, httpbin):
	auth = ('user', 'pass')
	wrong_auth = ('wronguser', 'wrongpass')
	--
	2.44.0.769.g3c40516874-goog