[arch-commits] Commit in python-httpx/repos/community-any (6 files)
Chih-Hsuan Yen
yan12125 at gemini.archlinux.org
Sat May 14 13:21:44 UTC 2022
Date: Saturday, May 14, 2022 @ 13:21:44
Author: yan12125
Revision: 1204501
archrelease: copy trunk to community-any
Added:
python-httpx/repos/community-any/0001-Do-not-override-the-system-SSL-certificates-with-the.patch
(from rev 1204498, python-httpx/trunk/0001-Do-not-override-the-system-SSL-certificates-with-the.patch)
python-httpx/repos/community-any/CVE-2021-41945.diff
(from rev 1204499, python-httpx/trunk/CVE-2021-41945.diff)
python-httpx/repos/community-any/PKGBUILD
(from rev 1204499, python-httpx/trunk/PKGBUILD)
python-httpx/repos/community-any/uvicorn-test-server-use-h11.diff
(from rev 1204499, python-httpx/trunk/uvicorn-test-server-use-h11.diff)
Deleted:
python-httpx/repos/community-any/0001-Do-not-override-the-system-SSL-certificates-with-the.patch
python-httpx/repos/community-any/PKGBUILD
-----------------------------------------------------------------+
0001-Do-not-override-the-system-SSL-certificates-with-the.patch | 174 +++++-----
CVE-2021-41945.diff | 77 ++++
PKGBUILD | 107 +++---
uvicorn-test-server-use-h11.diff | 13
4 files changed, 236 insertions(+), 135 deletions(-)
Deleted: 0001-Do-not-override-the-system-SSL-certificates-with-the.patch
===================================================================
--- 0001-Do-not-override-the-system-SSL-certificates-with-the.patch 2022-05-14 13:21:43 UTC (rev 1204500)
+++ 0001-Do-not-override-the-system-SSL-certificates-with-the.patch 2022-05-14 13:21:44 UTC (rev 1204501)
@@ -1,87 +0,0 @@
-From f2d28b9a35572134b336bcc6e347659cf0504be6 Mon Sep 17 00:00:00 2001
-From: Eli Schwartz <eschwartz at archlinux.org>
-Date: Mon, 13 Jul 2020 11:29:54 -0400
-Subject: [PATCH] Do not override the system SSL certificates with the certifi
- bundle.
-
-We need to respect the system certification policy, and by default the
-ssl module will use our packaged ca-certificates.
-
-ssl.create_default_context(cafile=None) is the default to use the
-builtin (system) certs, but due to the sorcery which this module uses to
-check how arguments are being passed, it's less invasive to simply
-hardcode the standard certificate path instead of letting python
-properly handle it.
----
- httpx/_config.py | 4 +---
- setup.py | 1 -
- tests/test_config.py | 5 ++---
- 3 files changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/httpx/_config.py b/httpx/_config.py
-index 9d29f9f..1ac64e1 100644
---- a/httpx/_config.py
-+++ b/httpx/_config.py
-@@ -4,8 +4,6 @@ import typing
- from base64 import b64encode
- from pathlib import Path
-
--import certifi
--
- from ._compat import set_minimum_tls_version_1_2
- from ._models import URL, Headers
- from ._types import CertTypes, HeaderTypes, TimeoutTypes, URLTypes, VerifyTypes
-@@ -57,7 +55,7 @@ class SSLConfig:
- SSL Configuration.
- """
-
-- DEFAULT_CA_BUNDLE_PATH = Path(certifi.where())
-+ DEFAULT_CA_BUNDLE_PATH = Path("/etc/ssl/certs/ca-certificates.crt")
-
- def __init__(
- self,
-diff --git a/setup.py b/setup.py
-index f3ada86..396d713 100644
---- a/setup.py
-+++ b/setup.py
-@@ -56,7 +56,6 @@ setup(
- include_package_data=True,
- zip_safe=False,
- install_requires=[
-- "certifi",
- "charset_normalizer",
- "sniffio",
- "rfc3986[idna2008]>=1.3,<2",
-diff --git a/tests/test_config.py b/tests/test_config.py
-index f218f8f..74ab743 100644
---- a/tests/test_config.py
-+++ b/tests/test_config.py
-@@ -3,7 +3,6 @@ import ssl
- import sys
- from pathlib import Path
-
--import certifi
- import pytest
-
- import httpx
-@@ -21,7 +20,7 @@ def test_load_ssl_config_verify_non_existing_path():
-
-
- def test_load_ssl_config_verify_existing_file():
-- context = httpx.create_ssl_context(verify=certifi.where())
-+ context = httpx.create_ssl_context(verify="/etc/ssl/certs/ca-certificates.crt")
- assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
- assert context.check_hostname is True
-
-@@ -44,7 +43,7 @@ def test_load_ssl_config_verify_env_file(
-
-
- def test_load_ssl_config_verify_directory():
-- path = Path(certifi.where()).parent
-+ path = Path("/etc/ssl/certs/ca-certificates.crt").parent
- context = httpx.create_ssl_context(verify=str(path))
- assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
- assert context.check_hostname is True
---
-2.32.0
-
Copied: python-httpx/repos/community-any/0001-Do-not-override-the-system-SSL-certificates-with-the.patch (from rev 1204498, python-httpx/trunk/0001-Do-not-override-the-system-SSL-certificates-with-the.patch)
===================================================================
--- 0001-Do-not-override-the-system-SSL-certificates-with-the.patch (rev 0)
+++ 0001-Do-not-override-the-system-SSL-certificates-with-the.patch 2022-05-14 13:21:44 UTC (rev 1204501)
@@ -0,0 +1,87 @@
+From f2d28b9a35572134b336bcc6e347659cf0504be6 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz at archlinux.org>
+Date: Mon, 13 Jul 2020 11:29:54 -0400
+Subject: [PATCH] Do not override the system SSL certificates with the certifi
+ bundle.
+
+We need to respect the system certification policy, and by default the
+ssl module will use our packaged ca-certificates.
+
+ssl.create_default_context(cafile=None) is the default to use the
+builtin (system) certs, but due to the sorcery which this module uses to
+check how arguments are being passed, it's less invasive to simply
+hardcode the standard certificate path instead of letting python
+properly handle it.
+---
+ httpx/_config.py | 4 +---
+ setup.py | 1 -
+ tests/test_config.py | 5 ++---
+ 3 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/httpx/_config.py b/httpx/_config.py
+index 9d29f9f..1ac64e1 100644
+--- a/httpx/_config.py
++++ b/httpx/_config.py
+@@ -4,8 +4,6 @@ import typing
+ from base64 import b64encode
+ from pathlib import Path
+
+-import certifi
+-
+ from ._compat import set_minimum_tls_version_1_2
+ from ._models import URL, Headers
+ from ._types import CertTypes, HeaderTypes, TimeoutTypes, URLTypes, VerifyTypes
+@@ -57,7 +55,7 @@ class SSLConfig:
+ SSL Configuration.
+ """
+
+- DEFAULT_CA_BUNDLE_PATH = Path(certifi.where())
++ DEFAULT_CA_BUNDLE_PATH = Path("/etc/ssl/certs/ca-certificates.crt")
+
+ def __init__(
+ self,
+diff --git a/setup.py b/setup.py
+index f3ada86..396d713 100644
+--- a/setup.py
++++ b/setup.py
+@@ -56,7 +56,6 @@ setup(
+ include_package_data=True,
+ zip_safe=False,
+ install_requires=[
+- "certifi",
+ "charset_normalizer",
+ "sniffio",
+ "rfc3986[idna2008]>=1.3,<2",
+diff --git a/tests/test_config.py b/tests/test_config.py
+index f218f8f..74ab743 100644
+--- a/tests/test_config.py
++++ b/tests/test_config.py
+@@ -3,7 +3,6 @@ import ssl
+ import sys
+ from pathlib import Path
+
+-import certifi
+ import pytest
+
+ import httpx
+@@ -21,7 +20,7 @@ def test_load_ssl_config_verify_non_existing_path():
+
+
+ def test_load_ssl_config_verify_existing_file():
+- context = httpx.create_ssl_context(verify=certifi.where())
++ context = httpx.create_ssl_context(verify="/etc/ssl/certs/ca-certificates.crt")
+ assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+ assert context.check_hostname is True
+
+@@ -44,7 +43,7 @@ def test_load_ssl_config_verify_env_file(
+
+
+ def test_load_ssl_config_verify_directory():
+- path = Path(certifi.where()).parent
++ path = Path("/etc/ssl/certs/ca-certificates.crt").parent
+ context = httpx.create_ssl_context(verify=str(path))
+ assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+ assert context.check_hostname is True
+--
+2.32.0
+
Copied: python-httpx/repos/community-any/CVE-2021-41945.diff (from rev 1204499, python-httpx/trunk/CVE-2021-41945.diff)
===================================================================
--- CVE-2021-41945.diff (rev 0)
+++ CVE-2021-41945.diff 2022-05-14 13:21:44 UTC (rev 1204501)
@@ -0,0 +1,77 @@
+diff --git a/httpx/_models.py b/httpx/_models.py
+index 3755c25..a70e597 100644
+--- a/httpx/_models.py
++++ b/httpx/_models.py
+@@ -534,7 +534,11 @@ class URL:
+ # \_/ \______________/\_________/ \_________/ \__/
+ # | | | | |
+ # scheme authority path query fragment
+- return URL(self._uri_reference.copy_with(**kwargs).unsplit())
++ new_url = URL(self)
++ new_url._uri_reference = self._uri_reference.copy_with(**kwargs)
++ if new_url.is_absolute_url:
++ new_url._uri_reference = new_url._uri_reference.normalize()
++ return URL(new_url)
+
+ def copy_set_param(self, key: str, value: typing.Any = None) -> "URL":
+ return self.copy_with(params=self.params.set(key, value))
+diff --git a/tests/models/test_url.py b/tests/models/test_url.py
+index cd099bd..a088fc2 100644
+--- a/tests/models/test_url.py
++++ b/tests/models/test_url.py
+@@ -308,6 +308,55 @@ def test_url_copywith_raw_path():
+ assert url.raw_path == b"/some/path?a=123"
+
+
++def test_url_copywith_security():
++ """
++ Prevent unexpected changes on URL after calling copy_with (CVE-2021-41945)
++ """
++ url = httpx.URL("https://u:p@[invalid!]//evilHost/path?t=w#tw")
++ original_scheme = url.scheme
++ original_userinfo = url.userinfo
++ original_netloc = url.netloc
++ original_raw_path = url.raw_path
++ original_query = url.query
++ original_fragment = url.fragment
++ url = url.copy_with()
++ assert url.scheme == original_scheme
++ assert url.userinfo == original_userinfo
++ assert url.netloc == original_netloc
++ assert url.raw_path == original_raw_path
++ assert url.query == original_query
++ assert url.fragment == original_fragment
++
++ url = httpx.URL("https://u:p@[invalid!]//evilHost/path?t=w#tw")
++ original_scheme = url.scheme
++ original_netloc = url.netloc
++ original_raw_path = url.raw_path
++ original_query = url.query
++ original_fragment = url.fragment
++ url = url.copy_with(userinfo=b"")
++ assert url.scheme == original_scheme
++ assert url.userinfo == b""
++ assert url.netloc == original_netloc
++ assert url.raw_path == original_raw_path
++ assert url.query == original_query
++ assert url.fragment == original_fragment
++
++ url = httpx.URL("https://example.com/path?t=w#tw")
++ original_userinfo = url.userinfo
++ original_netloc = url.netloc
++ original_raw_path = url.raw_path
++ original_query = url.query
++ original_fragment = url.fragment
++ bad = "https://xxxx:xxxx@xxxxxxx/xxxxx/xxx?x=x#xxxxx"
++ url = url.copy_with(scheme=bad)
++ assert url.scheme == bad
++ assert url.userinfo == original_userinfo
++ assert url.netloc == original_netloc
++ assert url.raw_path == original_raw_path
++ assert url.query == original_query
++ assert url.fragment == original_fragment
++
++
+ def test_url_invalid():
+ with pytest.raises(httpx.InvalidURL):
+ httpx.URL("https://😇/")
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2022-05-14 13:21:43 UTC (rev 1204500)
+++ PKGBUILD 2022-05-14 13:21:44 UTC (rev 1204501)
@@ -1,48 +0,0 @@
-# Maintainer: Eli Schwartz <eschwartz at archlinux.org>
-
-_pkgname=httpx
-pkgname=python-httpx
-pkgver=0.22.0
-pkgrel=1
-pkgdesc="A next generation HTTP client for Python"
-arch=('any')
-url="https://github.com/encode/${_pkgname}"
-license=('BSD')
-depends=('python-charset-normalizer' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio' 'python-rich')
-optdepends=('python-brotlicffi: for brotli response decompression')
-makedepends=('python-setuptools')
-checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-typing_extensions' 'python-brotlicffi' 'python-h2' 'python-trustme' 'uvicorn' 'python-socksio')
-source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
- "0001-Do-not-override-the-system-SSL-certificates-with-the.patch")
-sha512sums=('a7360f5355f75f07425b42d49697e480319f3fe606d4601bb6d64b870c8a8fce6fad8bd857ef422fc48e6141201307ee94876d5bc54a68557c7dc32ce8f1451b'
- 'faf90f908ab8d5054d096eef1ba4e9cee733eb8178d2df0dfe922923bf8a98eebf880b9a6be3386caffed88229f82f1199c026ede455a57998246821a37e5748')
-b2sums=('bb08a7c4b72478d24264c0dca5630205ff386af73294dca66dcd12b646de602ad64e308feedaabd58742cb7a9d799fa23cd2f922e685e74f8181e1b5e9f1c4ee'
- '3e020b5f3c3aeeede6304851023eed4ab10f74df68203b504b5564892aa960d5c52521279a0b9cf40ead1e18b5ce9ee3998ad4502e6008f07808817d0405b7c7')
-
-prepare() {
- cd ${_pkgname}-${pkgver}
-
- # bad certifi
- patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
- # fix tests
- sed -e 's|Transfer-Encoding|transfer-encoding|g' -i tests/test_main.py
-}
-
-build() {
- cd ${_pkgname}-${pkgver}
-
- python setup.py build
-}
-
-check() {
- cd ${_pkgname}-${pkgver}
-
- pytest -W ignore::DeprecationWarning -k 'not text_decoder[data3-iso-8859-1] and not response_no_charset_with_iso_8859_1_content'
-}
-
-package() {
- cd ${_pkgname}-${pkgver}
-
- python setup.py install --root="${pkgdir}" --optimize=1 --skip-build
- install -Dm644 LICENSE.md "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE.md
-}
Copied: python-httpx/repos/community-any/PKGBUILD (from rev 1204499, python-httpx/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2022-05-14 13:21:44 UTC (rev 1204501)
@@ -0,0 +1,59 @@
+# Maintainer: Eli Schwartz <eschwartz at archlinux.org>
+
+_pkgname=httpx
+pkgname=python-httpx
+pkgver=0.22.0
+pkgrel=2
+pkgdesc="A next generation HTTP client for Python"
+arch=('any')
+url="https://github.com/encode/${_pkgname}"
+license=('BSD')
+depends=('python-charset-normalizer' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio' 'python-rich')
+optdepends=('python-brotlicffi: for brotli response decompression')
+makedepends=('python-setuptools')
+checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-typing_extensions' 'python-brotlicffi' 'python-h2' 'python-trustme' 'uvicorn' 'python-socksio')
+source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
+ "0001-Do-not-override-the-system-SSL-certificates-with-the.patch"
+ "uvicorn-test-server-use-h11.diff"
+ "CVE-2021-41945.diff")
+sha512sums=('a7360f5355f75f07425b42d49697e480319f3fe606d4601bb6d64b870c8a8fce6fad8bd857ef422fc48e6141201307ee94876d5bc54a68557c7dc32ce8f1451b'
+ 'faf90f908ab8d5054d096eef1ba4e9cee733eb8178d2df0dfe922923bf8a98eebf880b9a6be3386caffed88229f82f1199c026ede455a57998246821a37e5748'
+ 'd86ec2b97ca0dda68f023f9d1fbed0cb143e4ae118ac71fe6651f8f65d7130f014c0cc14a9ab490fc09583370141d5827976c334bd1c58aaebcf1a00762214c9'
+ 'b57e7f3bdc2df8814032b1cffcbebf293a53f4c1fc9a79d4ae210a65ac23272e57b67f911b1f9c77229f7d039240383d4e1c8e880de603f2bfdf7d7d0080c2b5')
+b2sums=('bb08a7c4b72478d24264c0dca5630205ff386af73294dca66dcd12b646de602ad64e308feedaabd58742cb7a9d799fa23cd2f922e685e74f8181e1b5e9f1c4ee'
+ '3e020b5f3c3aeeede6304851023eed4ab10f74df68203b504b5564892aa960d5c52521279a0b9cf40ead1e18b5ce9ee3998ad4502e6008f07808817d0405b7c7'
+ 'b67493e9c8d38ae9b64d831b178d8b943a90a3382e381f08792a35c935fa702b094ea962eb653e5b6ad1b5990466d3d0814d166093aa7b9e921632e61d4ebd45'
+ 'a6d756c382eb79d94cc675625fcbf0e7dca36be26820cc56d7a60465066750ba15442e42a8bcbf420416aabb80e0f34ed24776e00affda5d7f971623214539b3')
+
+prepare() {
+ cd ${_pkgname}-${pkgver}
+
+ # bad certifi
+ patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
+ # fix tests
+ patch -Np1 -i ../uvicorn-test-server-use-h11.diff
+ # Manual backport of https://github.com/encode/httpx/commit/e9b0c85dd4f4e4469c57c4b38e5101fd12081b5c
+ # That commit does not apply cleanly on 0.22.0
+ patch -Np1 -i ../CVE-2021-41945.diff
+}
+
+build() {
+ cd ${_pkgname}-${pkgver}
+
+ python setup.py build
+}
+
+check() {
+ cd ${_pkgname}-${pkgver}
+
+ # Encoding-related tests failed since charset-normalizer 2.0.7; there are many related discussions upstream:
+ # https://github.com/encode/httpx/search?q=charset-normalizer&type=discussions
+ pytest -W ignore::DeprecationWarning -k 'not text_decoder[data3-iso-8859-1] and not response_no_charset_with_iso_8859_1_content'
+}
+
+package() {
+ cd ${_pkgname}-${pkgver}
+
+ python setup.py install --root="${pkgdir}" --optimize=1 --skip-build
+ install -Dm644 LICENSE.md "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE.md
+}
Copied: python-httpx/repos/community-any/uvicorn-test-server-use-h11.diff (from rev 1204499, python-httpx/trunk/uvicorn-test-server-use-h11.diff)
===================================================================
--- uvicorn-test-server-use-h11.diff (rev 0)
+++ uvicorn-test-server-use-h11.diff 2022-05-14 13:21:44 UTC (rev 1204501)
@@ -0,0 +1,13 @@
+diff --git a/tests/conftest.py b/tests/conftest.py
+index 970c353..1ea3aa9 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -304,7 +304,7 @@ def serve_in_thread(server: Server):
+
+ @pytest.fixture(scope="session")
+ def server():
+- config = Config(app=app, lifespan="off", loop="asyncio")
++ config = Config(app=app, lifespan="off", loop="asyncio", http="h11")
+ server = TestServer(config=config)
+ yield from serve_in_thread(server)
+
More information about the arch-commits
mailing list