[arch-commits] Commit in python-httpx/trunk (3 files)
Chih-Hsuan Yen
yan12125 at gemini.archlinux.org
Sat May 14 13:21:21 UTC 2022
Date: Saturday, May 14, 2022 @ 13:21:20
Author: yan12125
Revision: 1204497
upgpkg: python-httpx 0.22.0-2; backport a CVE fix + minor changes for tests
* Use a better fix for failures in test_main
* Add comments for failures related to encoding
Added:
python-httpx/trunk/CVE-2021-41945.diff
python-httpx/trunk/uvicorn-test-server-use-h11.diff
Modified:
python-httpx/trunk/PKGBUILD
----------------------------------+
CVE-2021-41945.diff | 77 +++++++++++++++++++++++++++++++++++++
PKGBUILD | 21 +++++++---
uvicorn-test-server-use-h11.diff | 13 ++++++
3 files changed, 106 insertions(+), 5 deletions(-)
Added: CVE-2021-41945.diff
===================================================================
--- CVE-2021-41945.diff (rev 0)
+++ CVE-2021-41945.diff 2022-05-14 13:21:20 UTC (rev 1204497)
@@ -0,0 +1,77 @@
+diff --git a/httpx/_models.py b/httpx/_models.py
+index 3755c25..a70e597 100644
+--- a/httpx/_models.py
++++ b/httpx/_models.py
+@@ -534,7 +534,11 @@ class URL:
+ # \_/ \______________/\_________/ \_________/ \__/
+ # | | | | |
+ # scheme authority path query fragment
+- return URL(self._uri_reference.copy_with(**kwargs).unsplit())
++ new_url = URL(self)
++ new_url._uri_reference = self._uri_reference.copy_with(**kwargs)
++ if new_url.is_absolute_url:
++ new_url._uri_reference = new_url._uri_reference.normalize()
++ return URL(new_url)
+
+ def copy_set_param(self, key: str, value: typing.Any = None) -> "URL":
+ return self.copy_with(params=self.params.set(key, value))
+diff --git a/tests/models/test_url.py b/tests/models/test_url.py
+index cd099bd..a088fc2 100644
+--- a/tests/models/test_url.py
++++ b/tests/models/test_url.py
+@@ -308,6 +308,55 @@ def test_url_copywith_raw_path():
+ assert url.raw_path == b"/some/path?a=123"
+
+
++def test_url_copywith_security():
++ """
++ Prevent unexpected changes on URL after calling copy_with (CVE-2021-41945)
++ """
++ url = httpx.URL("https://u:p@[invalid!]//evilHost/path?t=w#tw")
++ original_scheme = url.scheme
++ original_userinfo = url.userinfo
++ original_netloc = url.netloc
++ original_raw_path = url.raw_path
++ original_query = url.query
++ original_fragment = url.fragment
++ url = url.copy_with()
++ assert url.scheme == original_scheme
++ assert url.userinfo == original_userinfo
++ assert url.netloc == original_netloc
++ assert url.raw_path == original_raw_path
++ assert url.query == original_query
++ assert url.fragment == original_fragment
++
++ url = httpx.URL("https://u:p@[invalid!]//evilHost/path?t=w#tw")
++ original_scheme = url.scheme
++ original_netloc = url.netloc
++ original_raw_path = url.raw_path
++ original_query = url.query
++ original_fragment = url.fragment
++ url = url.copy_with(userinfo=b"")
++ assert url.scheme == original_scheme
++ assert url.userinfo == b""
++ assert url.netloc == original_netloc
++ assert url.raw_path == original_raw_path
++ assert url.query == original_query
++ assert url.fragment == original_fragment
++
++ url = httpx.URL("https://example.com/path?t=w#tw")
++ original_userinfo = url.userinfo
++ original_netloc = url.netloc
++ original_raw_path = url.raw_path
++ original_query = url.query
++ original_fragment = url.fragment
++ bad = "https://xxxx:xxxx@xxxxxxx/xxxxx/xxx?x=x#xxxxx"
++ url = url.copy_with(scheme=bad)
++ assert url.scheme == bad
++ assert url.userinfo == original_userinfo
++ assert url.netloc == original_netloc
++ assert url.raw_path == original_raw_path
++ assert url.query == original_query
++ assert url.fragment == original_fragment
++
++
+ def test_url_invalid():
+ with pytest.raises(httpx.InvalidURL):
+ httpx.URL("https://😇/")
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-05-14 13:21:09 UTC (rev 1204496)
+++ PKGBUILD 2022-05-14 13:21:20 UTC (rev 1204497)
@@ -3,7 +3,7 @@
_pkgname=httpx
pkgname=python-httpx
pkgver=0.22.0
-pkgrel=1
+pkgrel=2
pkgdesc="A next generation HTTP client for Python"
arch=('any')
url="https://github.com/encode/${_pkgname}"
@@ -13,11 +13,17 @@
makedepends=('python-setuptools')
checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-typing_extensions' 'python-brotlicffi' 'python-h2' 'python-trustme' 'uvicorn' 'python-socksio')
source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
- "0001-Do-not-override-the-system-SSL-certificates-with-the.patch")
+ "0001-Do-not-override-the-system-SSL-certificates-with-the.patch"
+ "uvicorn-test-server-use-h11.diff"
+ "CVE-2021-41945.diff")
sha512sums=('a7360f5355f75f07425b42d49697e480319f3fe606d4601bb6d64b870c8a8fce6fad8bd857ef422fc48e6141201307ee94876d5bc54a68557c7dc32ce8f1451b'
- 'faf90f908ab8d5054d096eef1ba4e9cee733eb8178d2df0dfe922923bf8a98eebf880b9a6be3386caffed88229f82f1199c026ede455a57998246821a37e5748')
+ 'faf90f908ab8d5054d096eef1ba4e9cee733eb8178d2df0dfe922923bf8a98eebf880b9a6be3386caffed88229f82f1199c026ede455a57998246821a37e5748'
+ 'd86ec2b97ca0dda68f023f9d1fbed0cb143e4ae118ac71fe6651f8f65d7130f014c0cc14a9ab490fc09583370141d5827976c334bd1c58aaebcf1a00762214c9'
+ 'b57e7f3bdc2df8814032b1cffcbebf293a53f4c1fc9a79d4ae210a65ac23272e57b67f911b1f9c77229f7d039240383d4e1c8e880de603f2bfdf7d7d0080c2b5')
b2sums=('bb08a7c4b72478d24264c0dca5630205ff386af73294dca66dcd12b646de602ad64e308feedaabd58742cb7a9d799fa23cd2f922e685e74f8181e1b5e9f1c4ee'
- '3e020b5f3c3aeeede6304851023eed4ab10f74df68203b504b5564892aa960d5c52521279a0b9cf40ead1e18b5ce9ee3998ad4502e6008f07808817d0405b7c7')
+ '3e020b5f3c3aeeede6304851023eed4ab10f74df68203b504b5564892aa960d5c52521279a0b9cf40ead1e18b5ce9ee3998ad4502e6008f07808817d0405b7c7'
+ 'b67493e9c8d38ae9b64d831b178d8b943a90a3382e381f08792a35c935fa702b094ea962eb653e5b6ad1b5990466d3d0814d166093aa7b9e921632e61d4ebd45'
+ 'a6d756c382eb79d94cc675625fcbf0e7dca36be26820cc56d7a60465066750ba15442e42a8bcbf420416aabb80e0f34ed24776e00affda5d7f971623214539b3')
prepare() {
cd ${_pkgname}-${pkgver}
@@ -25,7 +31,10 @@
# bad certifi
patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
# fix tests
- sed -e 's|Transfer-Encoding|transfer-encoding|g' -i tests/test_main.py
+ patch -Np1 -i ../uvicorn-test-server-use-h11.diff
+ # Manual backport of https://github.com/encode/httpx/commit/e9b0c85dd4f4e4469c57c4b38e5101fd12081b5c
+ # That commit does not apply cleanly on 0.22.0
+ patch -Np1 -i ../CVE-2021-41945.diff
}
build() {
@@ -37,6 +46,8 @@
check() {
cd ${_pkgname}-${pkgver}
+ # Encoding-related tests failed since charset-normalizer 2.0.7; there are many related discussions upstream:
+ # https://github.com/encode/httpx/search?q=charset-normalizer&type=discussions
pytest -W ignore::DeprecationWarning -k 'not text_decoder[data3-iso-8859-1] and not response_no_charset_with_iso_8859_1_content'
}
Added: uvicorn-test-server-use-h11.diff
===================================================================
--- uvicorn-test-server-use-h11.diff (rev 0)
+++ uvicorn-test-server-use-h11.diff 2022-05-14 13:21:20 UTC (rev 1204497)
@@ -0,0 +1,13 @@
+diff --git a/tests/conftest.py b/tests/conftest.py
+index 970c353..1ea3aa9 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -304,7 +304,7 @@ def serve_in_thread(server: Server):
+
+ @pytest.fixture(scope="session")
+ def server():
+- config = Config(app=app, lifespan="off", loop="asyncio")
++ config = Config(app=app, lifespan="off", loop="asyncio", http="h11")
+ server = TestServer(config=config)
+ yield from serve_in_thread(server)
+
More information about the arch-commits
mailing list