Update dependency requests to ==2.31.* [SECURITY] #31
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
278aa04 to
1a97722
Compare
1a97722 to
00bb9a0
Compare
00bb9a0 to
38fbe72
Compare
38fbe72 to
8315d1d
Compare
8315d1d to
c5b86fb
Compare
c5b86fb to
d1f4c64
Compare
d1f4c64 to
263ccbe
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
== 2.8.*->==2.31.*Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2018-18074
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
CVE-2023-32681
Impact
Since Requests v2.3.0, Requests has been vulnerable to potentially leaking
Proxy-Authorizationheaders to destination servers, specifically during redirects to an HTTPS origin. This is a product of howrebuild_proxiesis used to recompute and reattach theProxy-Authorizationheader to requests when redirected. Note this behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g.https://username:password@proxy:8080).Current vulnerable behavior(s):
For HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the
Proxy-Authorizationheader must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.The reason this currently works for HTTPS connections in Requests is the
Proxy-Authorizationheader is also handled by urllib3 with our usage of the ProxyManager in adapters.py withproxy_manager_for. This will compute the required proxy headers inproxy_headersand pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.Patches
Starting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.
For users with custom adapters, this may be potentially breaking if you were already working around this behavior. The previous functionality of
rebuild_proxiesdoesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.Workarounds
For users who are not able to update Requests immediately, there is one potential workaround.
You may disable redirects by setting
allow_redirectstoFalseon all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.Credits
This vulnerability was discovered and disclosed by the following individuals.
Dennis Brinkrolf, Haxolot (https://haxolot.com/)
Tobias Funke, (tobiasfunke93@gmail.com)
Release Notes
psf/requests (requests)
v2.31.0Compare Source
Security
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of
Proxy-Authorizationheaders to destination servers whenfollowing HTTPS redirects.
When proxies are defined with user info (
https://user:pass@proxy:8080), Requestswill construct a
Proxy-Authorizationheader that is attached to the request toauthenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the
Proxy-Authorizationheader incorrectly, resulting in the value beingsent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Full details can be read in our Github Security Advisory
and CVE-2023-32681.
v2.30.0Compare Source
Dependencies
This may contain minor breaking changes so we advise careful testing and
reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to
urllib3<2.v2.29.0Compare Source
Improvements
standardization. (#6226)
v2.28.2Compare Source
Dependencies
Bugfixes
v2.28.1Compare Source
Improvements
iter_contentwith transition toyield from. (#6170)Dependencies
v2.28.0Compare Source
Deprecations
Improvements
an encoding to make
json()API consistent. (#6097)all invalid cases. (#6154)
Bugfixes
CURL_CA_BUNDLEto an empty string would disablecert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)
urllib3.exceptions.SSLErrorwithrequests.exceptions.SSLErrorforcontentanditer_content. (#6057)to raise an exception rather than ignoring the entry. (#6149)
JSONDecodeError. (#6036)
v2.27.1Compare Source
Bugfixes
authcomponent beingdropped from proxy URLs. (#6028)
v2.27.0Compare Source
Improvements
Officially added support for Python 3.10. (#5928)
Added a
requests.exceptions.JSONDecodeErrorto unify JSON exceptions betweenPython 2 and 3. This gets raised in the
response.json()method, and isbackwards compatible as it inherits from previously thrown exceptions.
Can be caught from
requests.exceptions.RequestExceptionas well. (#5856)Improved error text for misnamed
InvalidSchemaandMissingSchemaexceptions. This is a temporary fix until exceptions can be renamed
(Schema->Scheme). (#6017)
Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to
urlparsein Python 3.9+. (#5917)Bugfixes
Fixed defect in
extract_zipped_pathswhich could result in an infinite loopfor some paths. (#5851)
Fixed handling for
AttributeErrorwhen calculating length of files obtainedby
Tarfile.extractfile(). (#5239)Fixed urllib3 exception leak, wrapping
urllib3.exceptions.InvalidHeaderwithrequests.exceptions.InvalidHeader. (#5914)Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where
Proxy-Authorizationwasincorrectly stripped from all requests sent with
Session.send. (#5924)Fixed performance regression in 2.26.0 for hosts with a large number of
proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping
UnicodeErrorwithrequests.exceptions.InvalidURLfor URLs with a leading dot (.) in thedomain. (#5414)
Deprecations
don't have exact dates, Requests 2.27.x is likely to be the last release
series providing support.
v2.26.0Compare Source
Improvements
Requests now supports Brotli compression, if either the
brotliorbrotlicffipackage is installed. (#5783)Session.sendnow correctly resolves proxy configurations from boththe Session and Request. Behavior now matches
Session.request. (#5681)Bugfixes
from zip archive. (#5707)
Dependencies
Instead of
chardet, use the MIT-licensedcharset_normalizerfor Python3to remove license ambiguity for projects bundling requests. If
chardetis already installed on your machine it will be used instead of
charset_normalizerto keep backwards compatibility. (#5797)
You can also install
chardetwhile installing requests byspecifying
[use_chardet_on_py3]extra as follows:pip install "requests[use_chardet_on_py3]"Python2 still depends upon the
chardetmodule.Requests now supports
idna3.x on Python 3.idna2.x will continue tobe used on Python 2 installations. (#5711)
Deprecations
The
requests[security]extra has been converted to a no-op install.PyOpenSSL is no longer the recommended secure option for Requests. (#5867)
Requests has officially dropped support for Python 3.5. (#5867)
v2.25.1Compare Source
Bugfixes
application/jsonasutf8by default. Resolvinginconsistencies between
r.textandr.jsonoutput. (#5673)Dependencies
v2.25.0Compare Source
Improvements
Dependencies
Deprecations
requests[security]extra is officially deprecated and will be removedin Requests v2.26.0.
v2.24.0Compare Source
Improvements
pyOpenSSL TLS implementation is now only used if Python
either doesn't have an
sslmodule or doesn't supportSNI. Previously pyOpenSSL was unconditionally used if available.
This applies even if pyOpenSSL is installed via the
requests[security]extra (#5443)Redirect resolution should now only occur when
allow_redirectsis True. (#5492)No longer perform unnecessary Content-Length calculation for
requests that won't use it. (#5496)
v2.23.0Compare Source
Improvements
prefetchin Session__attrs__(#5110)Bugfixes
Dependencies
chardetandidnanow uses major version instead of minor.This hopefully reduces the need for releases every time a dependency is updated.
v2.22.0Compare Source
Dependencies
(note: 1.25.0 and 1.25.1 are incompatible)
Deprecations
v2.21.0Compare Source
Dependencies
v2.20.1Compare Source
Bugfixes
redirects using default ports (http/80, https/443).
v2.20.0Compare Source
Bugfixes
charset=utf8 v Charset=utf8).
uncaught urllib3 exceptions.
from https to http on the same hostname. (CVE-2018-18074)
should_bypass_proxiesnow handles URIs without hostnames (e.g.files).
Dependencies
Deprecations
v2.19.1Compare Source
Bugfixes
initfunction failed tryingto append to a
__doc__value ofNone.v2.19.0Compare Source
Improvements
< 1.3.4
adapter.
7.1.2)
Request.content.Bugfixes
Linkheaders withparse_header_links()no longerreturn one bogus entry.
archive would raise an
IOError.ImportErroron windows system which donot support
winregmodule.password in the request. This also fixes the issue of DNS queries
failing on macOS.
Noneas a file pointer to thefilesparam no longerraises an exception.
copyon aRequestsCookieJarwill now preserve the cookiepolicy correctly.
Dependencies
v2.18.4Compare Source
Improvements
easier debugging
Dependencies
v2.18.3Compare Source
Improvements
$ python -m requests.helpnow includes the installedversion of idna.
Bugfixes
ConnectionErrorinstead ofSSLErrorwhen encountering SSL problems when using urllib3 v1.22.v2.18.2Compare Source
Bugfixes
requests.helpno longer fails on Python 2.6 due to the absence ofssl.OPENSSL_VERSION_NUMBER.Dependencies
v2.18.1Compare Source
Bugfixes
*.whlcontainedincorrect data that regressed the fix in v2.17.3.
v2.18.0Compare Source
Improvements
Responseis now a context manager, so can be used directly in awithstatement without first having to be wrapped bycontextlib.closing().Bugfixes
number of CPU cores
v2.17.3Compare Source
Improvements
packagesnamespace identity support, for monkeypatchinglibraries.
v2.17.2Compare Source
Improvements
packagesnamespace identity support, for monkeypatchinglibraries.
v2.17.1Compare Source
Improvements
packagesnamespace identity support, for monkeypatchinglibraries.
v2.17.0Compare Source
Improvements
v2.16.5Compare Source
$ python -m requests.help.v2.16.4Compare Source
$ python -m requests.helpcommand, fordebugging with maintainers!
v2.16.3Compare Source
requests.packagesnamespace for compatibilityreasons.
v2.16.2Compare Source
requests.packagesnamespace for compatibilityreasons.
No code modification (noted below) should be necessary any longer.
v2.16.1Compare Source
requests.packagesnamespace for compatibilityreasons.
urllib3version parsing.Note: code that was written to import against the
requests.packagesnamespace previously will have to import code thatrests at this module-level now.
For example:
Will need to be re-written to be:
Or, even better:
v2.16.0Compare Source
v2.15.1Compare Source
v2.15.0Compare Source
Improvements
Response.nextproperty, for getting the nextPreparedResponsefrom a redirect chain (whenallow_redirects=False).__version__module.Bugfixes
requests.utils.get_environ_proxies().v2.14.2Compare Source
Bugfixes
markers to widen compatibility with older setuptools releases.
v2.14.1Compare Source
Bugfixes
releases.
v2.14.0Compare Source
Improvements
no_proxyas a key to theproxiesdictionary to provide handling similar to the
NO_PROXYenvironmentvariable.
directories Requests now raises
IOError, rather than failing atthe time of the HTTPS request with a fairly inscrutable certificate
validation error.
SessionRedirectMixinwas slightly altered.resolve_redirectswill now detect a redirect by callingget_redirect_target(response)instead of directly queryingResponse.is_redirectandResponse.headers['location']. Advancedusers will be able to process malformed redirects more easily.
higher resolution on Windows.
win_inet_ptonas conditional dependency for the[socks]extra on Windows with Python 2.7.
check doesn't use forward and reverse DNS requests anymore
httpbut are nothttporhttpsno longer have their host parts forced to lowercase.Bugfixes
Locationheader values inredirects. Fewer
UnicodeDecodeErrorsare encountered on Python 2,and Python 3 now correctly understands that Latin-1 is unlikely to
be the correct encoding.
seekfile to find out its length fails, we nowappropriately handle that by aborting our content-length
calculations.
HTTPDigestAuthto only respond to auth challenges madeon 4XX responses, rather than to all auth challenges.
DeprecationWarningon Python 3.6./o\\) no longer has a big head. I'msure this is what you were all worrying about most.
Miscellaneous
v2.13.0Compare Source
Features
idnalibrary when we've determined we need it. Thiswill save some memory for users.
Miscellaneous
v2.12.5Compare Source
Bugfixes
big-endian UTF-32 with BOM.
v2.12.4Compare Source
Bugfixes
the basic auth parameters. While support for this behaviour has been
re-added, the behaviour is deprecated and will be removed in the
future.
v2.12.3Compare Source
Bugfixes
"http". These URLs have historically been processed as though they
were HTTP-schemed URLs, and so have had parameters added. This was
removed in v2.12.2 in an overzealous attempt to resolve problems
with IDNA-encoding those URLs. This change was reverted: the other
fixes for IDNA-encoding have been judged to be sufficient to return
to the behaviour Requests had before v2.12.0.
v2.12.2Compare Source
Bugfixes
invalid but which are widely accepted. Requests will now attempt to
IDNA-encode a URL if it can but, if it fails, and the host contains
only ASCII characters, it will be passed through optimistically.
This will allow users to opt-in to using IDNA2003 themselves if they
want to, and will also allow technically invalid but still common
hostnames.
InvalidSchemaerrors.would still have HTTP URL preparation applied to them.
auth.
constructing a Response object would cause
Response.contenttoraise an
AttributeError.v2.12.1Compare Source
Bugfixes
urllib3.
Miscellaneous
v2.12.0Compare Source
Improvements
IDNA2008. This updated support is required for several forms of IDNs
and is mandatory for .de domains.
no longer read an entire
StringIOinto memory.Content-Lengthheaders forPreparedRequestobjects.tellmethodbut do have a
seekmethod.Mappingis now treated like adictionary by the
data=keyword argument.than stripping the credentials.
request is redirected with a 307 or 308 status code, Requests will
now attempt to rewind the body object so it can be replayed.
Bugfixes
response.close, the call toclosewill bepropagated through to non-urllib3 backends.
ALL_PROXYenvironment variable would bepreferred over scheme-specific variables like
HTTP_PROXY.falling back to decoding using ISO 8859-1 instead.
when using custom Host headers if those Host headers did not use the
native string type for the platform.
Miscellaneous
v2.11.1Compare Source
Bugfixes
iter_contentwithdecode_unicode=Trueforstreamed bodies would raise
AttributeError. This bug wasintroduced in 2.11.
block when following a redirect that transforms the verb from
POST/PUT to GET.
v2.11.0Compare Source
Improvements
ALL_PROXYenvironment variable.characters to reduce risk of header smuggling.
Bugfixes
TypeErrorwhen attempting to decode a JSONresponse that occurred in an error case. Now correctly returns a
ValueError.NO_PROXYenvironment variables: Requests now treats it as aspecific IP.
obscure OpenSSL errors in certain network conditions (yes, really).
iter_contentonly acceptsintegers and
Nonefor chunk sizes.would have the underlying connection closed but not returned to the
connection pool, which could cause Requests to hang in situations
where the
HTTPAdapterhad been configured to use a blockingconnection pool.
Miscellaneous
acceptable header values. This release does not.
v2.10.0Compare Source
New Features
$ pip install requests[socks])Miscellaneous
v2.9.2Compare Source
Improvements
OrderedDict as its underlying datastore.
Bugfixes
tell(), send themvia chunked transfer encoding instead of failing.
v2.9.1Compare Source
Bugfixes
send binary strings as bodies in Python 3.
locales.
Miscellaneous
v2.9.0Compare Source
Minor Improvements (Backwards compatible)
verifykeyword argument now supports being passed a path to adirectory of CA certificates, not just a single-file bundle.
status code registry.
Bugfixes
now send the content length for the number of bytes we will actually
read, rather than the total size of the file, allowing partial file
uploads.
obvious content length we set
Transfer-Encoding: chunkedratherthan
Content-Length: 0.chunked bodies.
3, by decoding it as UTF-8.
using the functional API rather than leaking and waiting for the
garbage collector to clean them up.
qopdirective that contains no token, by treating it the same as if no
qopdirective was provided at all.name.
Miscellaneous
v2.8.1Compare Source
Bugfixes
certifi2015.9.6.2's weakcertificate bundle.
ConnectTimeoutinstead of
ConnectionErrorrespect the
jsonparameter. Broken in 2.8.0.handle a Unicode-string method name on Python 2. Broken in 2.8.0.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.