[arch-commits] Commit in python-httpx/trunk (3 files)

Chih-Hsuan Yen yan12125 at gemini.archlinux.org
Sat May 14 13:21:21 UTC 2022 

    Date: Saturday, May 14, 2022 @ 13:21:20
  Author: yan12125
Revision: 1204497

upgpkg: python-httpx 0.22.0-2; backport a CVE fix + minor changes for tests

* Use a better fix for failures in test_main
* Add comments for failures related to encoding

Added:
  python-httpx/trunk/CVE-2021-41945.diff
  python-httpx/trunk/uvicorn-test-server-use-h11.diff
Modified:
  python-httpx/trunk/PKGBUILD

----------------------------------+
 CVE-2021-41945.diff              |   77 +++++++++++++++++++++++++++++++++++++
 PKGBUILD                         |   21 +++++++---
 uvicorn-test-server-use-h11.diff |   13 ++++++
 3 files changed, 106 insertions(+), 5 deletions(-)

Added: CVE-2021-41945.diff
===================================================================
--- CVE-2021-41945.diff	                        (rev 0)
+++ CVE-2021-41945.diff	2022-05-14 13:21:20 UTC (rev 1204497)
@@ -0,0 +1,77 @@
+diff --git a/httpx/_models.py b/httpx/_models.py
+index 3755c25..a70e597 100644
+--- a/httpx/_models.py
++++ b/httpx/_models.py
+@@ -534,7 +534,11 @@ class URL:
+         #  \_/   \______________/\_________/ \_________/ \__/
+         #   |           |            |            |        |
+         # scheme     authority       path        query   fragment
+-        return URL(self._uri_reference.copy_with(**kwargs).unsplit())
++        new_url = URL(self)
++        new_url._uri_reference = self._uri_reference.copy_with(**kwargs)
++        if new_url.is_absolute_url:
++            new_url._uri_reference = new_url._uri_reference.normalize()
++        return URL(new_url)
+ 
+     def copy_set_param(self, key: str, value: typing.Any = None) -> "URL":
+         return self.copy_with(params=self.params.set(key, value))
+diff --git a/tests/models/test_url.py b/tests/models/test_url.py
+index cd099bd..a088fc2 100644
+--- a/tests/models/test_url.py
++++ b/tests/models/test_url.py
+@@ -308,6 +308,55 @@ def test_url_copywith_raw_path():
+     assert url.raw_path == b"/some/path?a=123"
+ 
+ 
++def test_url_copywith_security():
++    """
++    Prevent unexpected changes on URL after calling copy_with (CVE-2021-41945)
++    """
++    url = httpx.URL("https://u:p@[invalid!]//evilHost/path?t=w#tw")
++    original_scheme = url.scheme
++    original_userinfo = url.userinfo
++    original_netloc = url.netloc
++    original_raw_path = url.raw_path
++    original_query = url.query
++    original_fragment = url.fragment
++    url = url.copy_with()
++    assert url.scheme == original_scheme
++    assert url.userinfo == original_userinfo
++    assert url.netloc == original_netloc
++    assert url.raw_path == original_raw_path
++    assert url.query == original_query
++    assert url.fragment == original_fragment
++
++    url = httpx.URL("https://u:p@[invalid!]//evilHost/path?t=w#tw")
++    original_scheme = url.scheme
++    original_netloc = url.netloc
++    original_raw_path = url.raw_path
++    original_query = url.query
++    original_fragment = url.fragment
++    url = url.copy_with(userinfo=b"")
++    assert url.scheme == original_scheme
++    assert url.userinfo == b""
++    assert url.netloc == original_netloc
++    assert url.raw_path == original_raw_path
++    assert url.query == original_query
++    assert url.fragment == original_fragment
++
++    url = httpx.URL("https://example.com/path?t=w#tw")
++    original_userinfo = url.userinfo
++    original_netloc = url.netloc
++    original_raw_path = url.raw_path
++    original_query = url.query
++    original_fragment = url.fragment
++    bad = "https://xxxx:xxxx@xxxxxxx/xxxxx/xxx?x=x#xxxxx"
++    url = url.copy_with(scheme=bad)
++    assert url.scheme == bad
++    assert url.userinfo == original_userinfo
++    assert url.netloc == original_netloc
++    assert url.raw_path == original_raw_path
++    assert url.query == original_query
++    assert url.fragment == original_fragment
++
++
+ def test_url_invalid():
+     with pytest.raises(httpx.InvalidURL):
+         httpx.URL("https://😇/")

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2022-05-14 13:21:09 UTC (rev 1204496)
+++ PKGBUILD	2022-05-14 13:21:20 UTC (rev 1204497)
@@ -3,7 +3,7 @@
 _pkgname=httpx
 pkgname=python-httpx
 pkgver=0.22.0
-pkgrel=1
+pkgrel=2
 pkgdesc="A next generation HTTP client for Python"
 arch=('any')
 url="https://github.com/encode/${_pkgname}"
@@ -13,11 +13,17 @@
 makedepends=('python-setuptools')
 checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-typing_extensions' 'python-brotlicffi' 'python-h2' 'python-trustme' 'uvicorn' 'python-socksio')
 source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
-        "0001-Do-not-override-the-system-SSL-certificates-with-the.patch")
+        "0001-Do-not-override-the-system-SSL-certificates-with-the.patch"
+        "uvicorn-test-server-use-h11.diff"
+        "CVE-2021-41945.diff")
 sha512sums=('a7360f5355f75f07425b42d49697e480319f3fe606d4601bb6d64b870c8a8fce6fad8bd857ef422fc48e6141201307ee94876d5bc54a68557c7dc32ce8f1451b'
-            'faf90f908ab8d5054d096eef1ba4e9cee733eb8178d2df0dfe922923bf8a98eebf880b9a6be3386caffed88229f82f1199c026ede455a57998246821a37e5748')
+            'faf90f908ab8d5054d096eef1ba4e9cee733eb8178d2df0dfe922923bf8a98eebf880b9a6be3386caffed88229f82f1199c026ede455a57998246821a37e5748'
+            'd86ec2b97ca0dda68f023f9d1fbed0cb143e4ae118ac71fe6651f8f65d7130f014c0cc14a9ab490fc09583370141d5827976c334bd1c58aaebcf1a00762214c9'
+            'b57e7f3bdc2df8814032b1cffcbebf293a53f4c1fc9a79d4ae210a65ac23272e57b67f911b1f9c77229f7d039240383d4e1c8e880de603f2bfdf7d7d0080c2b5')
 b2sums=('bb08a7c4b72478d24264c0dca5630205ff386af73294dca66dcd12b646de602ad64e308feedaabd58742cb7a9d799fa23cd2f922e685e74f8181e1b5e9f1c4ee'
-        '3e020b5f3c3aeeede6304851023eed4ab10f74df68203b504b5564892aa960d5c52521279a0b9cf40ead1e18b5ce9ee3998ad4502e6008f07808817d0405b7c7')
+        '3e020b5f3c3aeeede6304851023eed4ab10f74df68203b504b5564892aa960d5c52521279a0b9cf40ead1e18b5ce9ee3998ad4502e6008f07808817d0405b7c7'
+        'b67493e9c8d38ae9b64d831b178d8b943a90a3382e381f08792a35c935fa702b094ea962eb653e5b6ad1b5990466d3d0814d166093aa7b9e921632e61d4ebd45'
+        'a6d756c382eb79d94cc675625fcbf0e7dca36be26820cc56d7a60465066750ba15442e42a8bcbf420416aabb80e0f34ed24776e00affda5d7f971623214539b3')
 
 prepare() {
   cd ${_pkgname}-${pkgver}
@@ -25,7 +31,10 @@
   # bad certifi
   patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
   # fix tests
-  sed -e 's|Transfer-Encoding|transfer-encoding|g' -i tests/test_main.py
+  patch -Np1 -i ../uvicorn-test-server-use-h11.diff
+  # Manual backport of https://github.com/encode/httpx/commit/e9b0c85dd4f4e4469c57c4b38e5101fd12081b5c
+  # That commit does not apply cleanly on 0.22.0
+  patch -Np1 -i ../CVE-2021-41945.diff
 }
 
 build() {
@@ -37,6 +46,8 @@
 check() {
   cd ${_pkgname}-${pkgver}
 
+  # Encoding-related tests failed since charset-normalizer 2.0.7; there are many related discussions upstream:
+  # https://github.com/encode/httpx/search?q=charset-normalizer&type=discussions
   pytest -W ignore::DeprecationWarning -k 'not text_decoder[data3-iso-8859-1] and not response_no_charset_with_iso_8859_1_content'
 }
 

Added: uvicorn-test-server-use-h11.diff
===================================================================
--- uvicorn-test-server-use-h11.diff	                        (rev 0)
+++ uvicorn-test-server-use-h11.diff	2022-05-14 13:21:20 UTC (rev 1204497)
@@ -0,0 +1,13 @@
+diff --git a/tests/conftest.py b/tests/conftest.py
+index 970c353..1ea3aa9 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -304,7 +304,7 @@ def serve_in_thread(server: Server):
+ 
+ @pytest.fixture(scope="session")
+ def server():
+-    config = Config(app=app, lifespan="off", loop="asyncio")
++    config = Config(app=app, lifespan="off", loop="asyncio", http="h11")
+     server = TestServer(config=config)
+     yield from serve_in_thread(server)
+

More information about the arch-commits mailing list