diff --git a/1-bugfix-for-CVE-2024-47081.patch b/1-bugfix-for-CVE-2024-47081.patch new file mode 100644 index 0000000000000000000000000000000000000000..b271a342f362fb7556b1d5bbf7f8b480a99f89db --- /dev/null +++ b/1-bugfix-for-CVE-2024-47081.patch @@ -0,0 +1,28 @@ +From 96ba401c1296ab1dda74a2365ef36d88f7d144ef Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Wed, 25 Sep 2024 08:03:20 -0700 +Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc + +--- + src/requests/utils.py | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/src/requests/utils.py b/src/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/src/requests/utils.py ++++ b/src/requests/utils.py +@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False): + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b":" +- if isinstance(url, str): +- splitstr = splitstr.decode("ascii") +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) diff --git a/python-requests.spec b/python-requests.spec index b6d3760da12e409130e5eb3c06ef6d53df744d39..9742cb6255d9811ac8ea589aa6ffbdd31cd4c6d7 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %bcond_with tests @@ -11,6 +11,7 @@ License: ASL 2.0 URL: https://pypi.io/project/requests Source0: https://github.com/psf/requests/releases/download/v%{version}/requests-%{version}.tar.gz +Patch1: 1-bugfix-for-CVE-2024-47081.patch BuildArch: noarch %description @@ -88,6 +89,9 @@ sed -i 's/ --doctest-modules//' pyproject.toml %doc README.md HISTORY.md %changelog +* Wed Jul 02 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.32.3-2 +- Fix CVE-2024-47081 + * Wed Apr 23 2025 mgb01105731 - 2.32.3-1 - updat eto 2.32.3