[python-requests] Backport patch to not ascribe cookies to the target domain
Ralph Bean
ralph at fedoraproject.org
Mon Mar 16 15:30:18 UTC 2015
commit 2665991eeac27f4b5d59bb1c664942cfd6810050
Author: Ralph Bean <rbean at redhat.com>
Date: Mon Mar 16 11:30:06 2015 -0400
Backport patch to not ascribe cookies to the target domain
python-requests-dont-ascribe-cookies.patch | 22 ++++++++++++++++++++++
python-requests.spec | 11 ++++++++++-
2 files changed, 32 insertions(+), 1 deletion(-)
---
diff --git a/python-requests-dont-ascribe-cookies.patch b/python-requests-dont-ascribe-cookies.patch
new file mode 100644
index 0000000..dcabc25
--- /dev/null
+++ b/python-requests-dont-ascribe-cookies.patch
@@ -0,0 +1,22 @@
+From 3bd8afbff29e50b38f889b2f688785a669b9aafc Mon Sep 17 00:00:00 2001
+From: Cory Benfield <lukasaoz at gmail.com>
+Date: Sat, 14 Mar 2015 08:49:55 +0000
+Subject: [PATCH] Don't ascribe cookies to the target domain.
+
+---
+ requests/sessions.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 4f30696..9d5498c 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -171,7 +171,7 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,
+ except KeyError:
+ pass
+
+- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw)
++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)
+ prepared_request._cookies.update(self.cookies)
+ prepared_request.prepare_cookies(prepared_request._cookies)
+
diff --git a/python-requests.spec b/python-requests.spec
index 6748af7..b5c2d9d 100644
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -6,7 +6,7 @@
Name: python-requests
Version: 2.5.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: HTTP library, written in Python, for human beings
License: ASL 2.0
@@ -19,6 +19,10 @@ Patch0: python-requests-system-cert-bundle.patch
# Remove an unnecessary reference to a bundled compat lib in urllib3
Patch1: python-requests-remove-nested-bundling-dep.patch
+# Backport fix for CVE-2015-2296
+# https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
+Patch2: python-requests-dont-ascribe-cookies.patch
+
BuildArch: noarch
BuildRequires: python2-devel
BuildRequires: python-chardet
@@ -61,6 +65,8 @@ designed to make HTTP requests easy for developers.
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+
# Unbundle the certificate bundle from mozilla.
rm -rf requests/cacert.pem
@@ -141,6 +147,9 @@ popd
%endif
%changelog
+* Mon Mar 16 2015 Ralph Bean <rbean at redhat.com> - 2.5.3-2
+- Backport fix for CVE-2015-2296.
+
* Thu Feb 26 2015 Ralph Bean <rbean at redhat.com> - 2.5.3-1
- new version
More information about the scm-commits
mailing list