From bbc9535cfcb099a2cdd37a613598ad4f991fd715 Mon Sep 17 00:00:00 2001 From: tangce Date: Tue, 22 Jul 2025 21:12:54 +0800 Subject: [PATCH] fix CVE-2025-50181 --- ...0181-fix-suspend-redirec-ineffective.patch | 107 ++++++++++++++++++ python-urllib3.spec | 9 +- 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-50181-fix-suspend-redirec-ineffective.patch diff --git a/backport-CVE-2025-50181-fix-suspend-redirec-ineffective.patch b/backport-CVE-2025-50181-fix-suspend-redirec-ineffective.patch new file mode 100644 index 0000000..b2ede26 --- /dev/null +++ b/backport-CVE-2025-50181-fix-suspend-redirec-ineffective.patch @@ -0,0 +1,107 @@ +From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 18 Jun 2025 16:25:01 +0300 +Subject: [PATCH] Merge commit from fork + +* Apply Quentin's suggestion + +Co-authored-by: Quentin Pradet + +* Add tests for disabled redirects in the pool manager + +* Add a possible fix for the issue with not raised `MaxRetryError` + +* Make urllib3 handle redirects instead of JS when JSPI is used + +* Fix info in the new comment + +* State that redirects with XHR are not controlled by urllib3 + +* Remove excessive params from new test requests + +* Add tests reaching max non-0 redirects + +* Test redirects with Emscripten + +* Fix `test_merge_pool_kwargs` + +* Add a changelog entry + +* Parametrize tests + +* Drop a fix for Emscripten + +* Apply Seth's suggestion to docs + +Co-authored-by: Seth Michael Larson + +* Use a minor release instead of the patch one + +Reference:https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 +Conflict:test/with_dummyserver/test_poolmanger, +test/contrib/emscripten/test_emscrepten.py has not been modified because +is has been deleted in the pre-phase of the spec file;CHANGES.rst, +docs/reference/contrib/emscripten.rst,dummyserver/app.py has not been +modified because these are the latest features and informations, does +not involve related modifications +--- + src/urllib3/poolmanager.py | 18 +++++++++++++++++- + test/test_poolmanager.py | 5 +++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index fb51bf7..a8de7c6 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -170,6 +170,22 @@ class PoolManager(RequestMethods): + + def __init__(self, num_pools=10, headers=None, **connection_pool_kw): + RequestMethods.__init__(self, headers) ++ if "retries" in connection_pool_kw: ++ retries = connection_pool_kw["retries"] ++ if not isinstance(retries, Retry): ++ # When Retry is initialized, raise_on_redirect is based ++ # on a redirect boolean value. ++ # But requests made via a pool manager always set ++ # redirect to False, and raise_on_redirect always ends ++ # up being False consequently. ++ # Here we fix the issue by setting raise_on_redirect to ++ # a value needed by the pool manager without considering ++ # the redirect boolean. ++ raise_on_redirect = retries is not False ++ retries = Retry.from_int(retries, redirect=False) ++ retries.raise_on_redirect = raise_on_redirect ++ connection_pool_kw = connection_pool_kw.copy() ++ connection_pool_kw["retries"] = retries + self.connection_pool_kw = connection_pool_kw + self.pools = RecentlyUsedContainer(num_pools) + +@@ -389,7 +405,7 @@ class PoolManager(RequestMethods): + kw["body"] = None + kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + +- retries = kw.get("retries") ++ retries = kw.get("retries", response.retries) + if not isinstance(retries, Retry): + retries = Retry.from_int(retries, redirect=redirect) + +diff --git a/test/test_poolmanager.py b/test/test_poolmanager.py +index 61715e9..14536dd 100644 +--- a/test/test_poolmanager.py ++++ b/test/test_poolmanager.py +@@ -322,9 +322,10 @@ class TestPoolManager(object): + + def test_merge_pool_kwargs(self): + """Assert _merge_pool_kwargs works in the happy case""" +- p = PoolManager(strict=True) ++ retries = retry.Retry(total=100) ++ p = PoolManager(retries=retries, strict=True) + merged = p._merge_pool_kwargs({"new_key": "value"}) +- assert {"strict": True, "new_key": "value"} == merged ++ assert {"retries": retries, "strict": True, "new_key": "value"} == merged + + def test_merge_pool_kwargs_none(self): + """Assert false-y values to _merge_pool_kwargs result in defaults""" +-- +2.43.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 2e515b0..9e4be6f 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.26.12 -Release: 7 +Release: 8 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -20,6 +20,7 @@ Patch6005: backport-Fix-_idna_encode-handling-of-x80.patch Patch6006: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch Patch6007: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch Patch6008: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch +Patch6009: backport-CVE-2025-50181-fix-suspend-redirec-ineffective.patch BuildArch: noarch @@ -85,6 +86,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Tue Jul 22 2025 tangce - 1.26.12-8 +- Type:CVE +- CVE:CVE-2025-50181 +- SUG:NA +- DESC:fix CVE-2025-50181 Fix suspend redirect ineffective + * Tue Jun 25 2024 chengyechun - 1.26.12-7 - Type:CVE - CVE:CVE-2024-37891 -- Gitee