Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: python-urll...@packages.debian.org Control: affects -1 + src:python-urllib3
[ Reason ] Fix CVE-2025-50181 and CVE-2025-50182. [ Impact ] According to the CVEs (lightly edited): * It was possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users were not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. * urllib3 did not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. [ Tests ] There are unit test changes for each of the CVE fixes. [ Risks ] I just backported the changes from upstream. I'd say the code is of medium complexity, but if I ignore the test changes then the changes are quite short and easy enough to read. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock python-urllib3/2.3.0-3 Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru python-urllib3-2.3.0/debian/changelog python-urllib3-2.3.0/debian/changelog --- python-urllib3-2.3.0/debian/changelog 2025-03-12 12:20:41.000000000 +0100 +++ python-urllib3-2.3.0/debian/changelog 2025-07-13 14:09:35.000000000 +0200 @@ -1,3 +1,14 @@ +python-urllib3 (2.3.0-3) unstable; urgency=medium + + * Team upload. + * CVE-2025-50181: Fix a security issue where restricting the maximum + number of followed redirects at the `urllib3.PoolManager` level via the + `retries` parameter did not work (closes: #1108076). + * CVE-2025-50182: Make the Node.js runtime respect redirect parameters + such as `retries` and `redirects` (closes: #1108077). + + -- Colin Watson <cjwat...@debian.org> Sun, 13 Jul 2025 14:09:35 +0200 + python-urllib3 (2.3.0-2) unstable; urgency=medium * Team upload. diff -Nru python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch --- python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch 2025-07-13 14:09:35.000000000 +0200 @@ -0,0 +1,279 @@ +From: Illia Volochii <illia.voloc...@gmail.com> +Date: Wed, 18 Jun 2025 16:25:01 +0300 +Subject: Merge commit from fork + +* Apply Quentin's suggestion + +Co-authored-by: Quentin Pradet <quentin.pra...@gmail.com> + +* Add tests for disabled redirects in the pool manager + +* Add a possible fix for the issue with not raised `MaxRetryError` + +* Make urllib3 handle redirects instead of JS when JSPI is used + +* Fix info in the new comment + +* State that redirects with XHR are not controlled by urllib3 + +* Remove excessive params from new test requests + +* Add tests reaching max non-0 redirects + +* Test redirects with Emscripten + +* Fix `test_merge_pool_kwargs` + +* Add a changelog entry + +* Parametrize tests + +* Drop a fix for Emscripten + +* Apply Seth's suggestion to docs + +Co-authored-by: Seth Michael Larson <sethmichaellar...@gmail.com> + +* Use a minor release instead of the patch one + +--------- + +Co-authored-by: Quentin Pradet <quentin.pra...@gmail.com> +Co-authored-by: Seth Michael Larson <sethmichaellar...@gmail.com> + +Origin: upstream, https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 +Bug-Debian: https://bugs.debian.org/1108076 +Last-Update: 2025-07-13 +--- + docs/reference/contrib/emscripten.rst | 2 +- + dummyserver/app.py | 1 + + src/urllib3/poolmanager.py | 18 ++++- + test/contrib/emscripten/test_emscripten.py | 16 +++++ + test/test_poolmanager.py | 5 +- + test/with_dummyserver/test_poolmanager.py | 101 +++++++++++++++++++++++++++++ + 6 files changed, 139 insertions(+), 4 deletions(-) + +diff --git a/docs/reference/contrib/emscripten.rst b/docs/reference/contrib/emscripten.rst +index 99fb20f..a8f1cda 100644 +--- a/docs/reference/contrib/emscripten.rst ++++ b/docs/reference/contrib/emscripten.rst +@@ -65,7 +65,7 @@ Features which are usable with Emscripten support are: + * Timeouts + * Retries + * Streaming (with Web Workers and Cross-Origin Isolation) +-* Redirects ++* Redirects (determined by browser/runtime, not restrictable with urllib3) + * Decompressing response bodies + + Features which don't work with Emscripten: +diff --git a/dummyserver/app.py b/dummyserver/app.py +index 97b1b23..0eeb93f 100644 +--- a/dummyserver/app.py ++++ b/dummyserver/app.py +@@ -227,6 +227,7 @@ async def encodingrequest() -> ResponseReturnValue: + + + @hypercorn_app.route("/redirect", methods=["GET", "POST", "PUT"]) ++@pyodide_testing_app.route("/redirect", methods=["GET", "POST", "PUT"]) + async def redirect() -> ResponseReturnValue: + "Perform a redirect to ``target``" + values = await request.values +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index 085d1db..5763fea 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -203,6 +203,22 @@ class PoolManager(RequestMethods): + **connection_pool_kw: typing.Any, + ) -> None: + super().__init__(headers) ++ if "retries" in connection_pool_kw: ++ retries = connection_pool_kw["retries"] ++ if not isinstance(retries, Retry): ++ # When Retry is initialized, raise_on_redirect is based ++ # on a redirect boolean value. ++ # But requests made via a pool manager always set ++ # redirect to False, and raise_on_redirect always ends ++ # up being False consequently. ++ # Here we fix the issue by setting raise_on_redirect to ++ # a value needed by the pool manager without considering ++ # the redirect boolean. ++ raise_on_redirect = retries is not False ++ retries = Retry.from_int(retries, redirect=False) ++ retries.raise_on_redirect = raise_on_redirect ++ connection_pool_kw = connection_pool_kw.copy() ++ connection_pool_kw["retries"] = retries + self.connection_pool_kw = connection_pool_kw + + self.pools: RecentlyUsedContainer[PoolKey, HTTPConnectionPool] +@@ -456,7 +472,7 @@ class PoolManager(RequestMethods): + kw["body"] = None + kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + +- retries = kw.get("retries") ++ retries = kw.get("retries", response.retries) + if not isinstance(retries, Retry): + retries = Retry.from_int(retries, redirect=redirect) + +diff --git a/test/contrib/emscripten/test_emscripten.py b/test/contrib/emscripten/test_emscripten.py +index 9317a09..5eaa674 100644 +--- a/test/contrib/emscripten/test_emscripten.py ++++ b/test/contrib/emscripten/test_emscripten.py +@@ -944,6 +944,22 @@ def test_retries( + pyodide_test(selenium_coverage, testserver_http.http_host, find_unused_port()) + + ++def test_redirects( ++ selenium_coverage: typing.Any, testserver_http: PyodideServerInfo ++) -> None: ++ @run_in_pyodide # type: ignore[misc] ++ def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) -> None: ++ from urllib3 import request ++ ++ redirect_url = f"http://{host}:{port}/redirect"; ++ response = request("GET", redirect_url) ++ assert response.status == 200 ++ ++ pyodide_test( ++ selenium_coverage, testserver_http.http_host, testserver_http.http_port ++ ) ++ ++ + def test_insecure_requests_warning( + selenium_coverage: typing.Any, testserver_http: PyodideServerInfo + ) -> None: +diff --git a/test/test_poolmanager.py b/test/test_poolmanager.py +index ab5f203..b481a19 100644 +--- a/test/test_poolmanager.py ++++ b/test/test_poolmanager.py +@@ -379,9 +379,10 @@ class TestPoolManager: + + def test_merge_pool_kwargs(self) -> None: + """Assert _merge_pool_kwargs works in the happy case""" +- p = PoolManager(retries=100) ++ retries = retry.Retry(total=100) ++ p = PoolManager(retries=retries) + merged = p._merge_pool_kwargs({"new_key": "value"}) +- assert {"retries": 100, "new_key": "value"} == merged ++ assert {"retries": retries, "new_key": "value"} == merged + + def test_merge_pool_kwargs_none(self) -> None: + """Assert false-y values to _merge_pool_kwargs result in defaults""" +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index af77241..7f163ab 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -84,6 +84,89 @@ class TestPoolManager(HypercornDummyServerTestCase): + assert r.status == 200 + assert r.data == b"Dummy server!" + ++ @pytest.mark.parametrize( ++ "retries", ++ (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)), ++ ) ++ def test_redirects_disabled_for_pool_manager_with_0( ++ self, retries: typing.Literal[0] | Retry ++ ) -> None: ++ """ ++ Check handling redirects when retries is set to 0 on the pool ++ manager. ++ """ ++ with PoolManager(retries=retries) as http: ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect") ++ ++ # Setting redirect=True should not change the behavior. ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect", redirect=True) ++ ++ # Setting redirect=False should not make it follow the redirect, ++ # but MaxRetryError should not be raised. ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False) ++ assert response.status == 303 ++ ++ @pytest.mark.parametrize( ++ "retries", ++ ( ++ False, ++ Retry(total=False), ++ Retry(redirect=False), ++ Retry(total=False, redirect=False), ++ ), ++ ) ++ def test_redirects_disabled_for_pool_manager_with_false( ++ self, retries: typing.Literal[False] | Retry ++ ) -> None: ++ """ ++ Check that setting retries set to False on the pool manager disables ++ raising MaxRetryError and redirect=True does not change the ++ behavior. ++ """ ++ with PoolManager(retries=retries) as http: ++ response = http.request("GET", f"{self.base_url}/redirect") ++ assert response.status == 303 ++ ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=True) ++ assert response.status == 303 ++ ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False) ++ assert response.status == 303 ++ ++ def test_redirects_disabled_for_individual_request(self) -> None: ++ """ ++ Check handling redirects when they are meant to be disabled ++ on the request level. ++ """ ++ with PoolManager() as http: ++ # Check when redirect is not passed. ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect", retries=0) ++ response = http.request("GET", f"{self.base_url}/redirect", retries=False) ++ assert response.status == 303 ++ ++ # Check when redirect=True. ++ with pytest.raises(MaxRetryError): ++ http.request( ++ "GET", f"{self.base_url}/redirect", retries=0, redirect=True ++ ) ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=False, redirect=True ++ ) ++ assert response.status == 303 ++ ++ # Check when redirect=False. ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=0, redirect=False ++ ) ++ assert response.status == 303 ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=False, redirect=False ++ ) ++ assert response.status == 303 ++ + def test_cross_host_redirect(self) -> None: + with PoolManager() as http: + cross_host_location = f"{self.base_url_alt}/echo?a=b" +@@ -138,6 +221,24 @@ class TestPoolManager(HypercornDummyServerTestCase): + pool = http.connection_from_host(self.host, self.port) + assert pool.num_connections == 1 + ++ # Check when retries are configured for the pool manager. ++ with PoolManager(retries=1) as http: ++ with pytest.raises(MaxRetryError): ++ http.request( ++ "GET", ++ f"{self.base_url}/redirect", ++ fields={"target": f"/redirect?target={self.base_url}/"}, ++ ) ++ ++ # Here we allow more retries for the request. ++ response = http.request( ++ "GET", ++ f"{self.base_url}/redirect", ++ fields={"target": f"/redirect?target={self.base_url}/"}, ++ retries=2, ++ ) ++ assert response.status == 200 ++ + def test_redirect_cross_host_remove_headers(self) -> None: + with PoolManager() as http: + r = http.request( diff -Nru python-urllib3-2.3.0/debian/patches/CVE-2025-50182.patch python-urllib3-2.3.0/debian/patches/CVE-2025-50182.patch --- python-urllib3-2.3.0/debian/patches/CVE-2025-50182.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-urllib3-2.3.0/debian/patches/CVE-2025-50182.patch 2025-07-13 14:09:35.000000000 +0200 @@ -0,0 +1,121 @@ +From: Illia Volochii <illia.voloc...@gmail.com> +Date: Wed, 18 Jun 2025 16:30:35 +0300 +Subject: Merge commit from fork + +Origin: upstream, https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f +Bug-Debian: https://bugs.debian.org/1108077 +Last-Update: 2025-07-13 +--- + docs/reference/contrib/emscripten.rst | 2 +- + src/urllib3/contrib/emscripten/fetch.py | 20 +++++++++++++ + test/contrib/emscripten/test_emscripten.py | 46 ++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 1 deletion(-) + +diff --git a/docs/reference/contrib/emscripten.rst b/docs/reference/contrib/emscripten.rst +index a8f1cda..4670757 100644 +--- a/docs/reference/contrib/emscripten.rst ++++ b/docs/reference/contrib/emscripten.rst +@@ -65,7 +65,7 @@ Features which are usable with Emscripten support are: + * Timeouts + * Retries + * Streaming (with Web Workers and Cross-Origin Isolation) +-* Redirects (determined by browser/runtime, not restrictable with urllib3) ++* Redirects (urllib3 controls redirects in Node.js but not in browsers where behavior is determined by runtime) + * Decompressing response bodies + + Features which don't work with Emscripten: +diff --git a/src/urllib3/contrib/emscripten/fetch.py b/src/urllib3/contrib/emscripten/fetch.py +index a514306..6695821 100644 +--- a/src/urllib3/contrib/emscripten/fetch.py ++++ b/src/urllib3/contrib/emscripten/fetch.py +@@ -573,6 +573,11 @@ def send_jspi_request( + "method": request.method, + "signal": js_abort_controller.signal, + } ++ # Node.js returns the whole response (unlike opaqueredirect in browsers), ++ # so urllib3 can set `redirect: manual` to control redirects itself. ++ # https://stackoverflow.com/a/78524615 ++ if _is_node_js(): ++ fetch_data["redirect"] = "manual" + # Call JavaScript fetch (async api, returns a promise) + fetcher_promise_js = js.fetch(request.url, _obj_from_dict(fetch_data)) + # Now suspend WebAssembly until we resolve that promise +@@ -693,6 +698,21 @@ def has_jspi() -> bool: + return False + + ++def _is_node_js() -> bool: ++ """ ++ Check if we are in Node.js. ++ ++ :return: True if we are in Node.js. ++ :rtype: bool ++ """ ++ return ( ++ hasattr(js, "process") ++ and hasattr(js.process, "release") ++ # According to the Node.js documentation, the release name is always "node". ++ and js.process.release.name == "node" ++ ) ++ ++ + def streaming_ready() -> bool | None: + if _fetcher: + return _fetcher.streaming_ready +diff --git a/test/contrib/emscripten/test_emscripten.py b/test/contrib/emscripten/test_emscripten.py +index 5eaa674..fbf89fc 100644 +--- a/test/contrib/emscripten/test_emscripten.py ++++ b/test/contrib/emscripten/test_emscripten.py +@@ -960,6 +960,52 @@ def test_redirects( + ) + + ++@pytest.mark.with_jspi ++def test_disabled_redirects( ++ selenium_coverage: typing.Any, testserver_http: PyodideServerInfo ++) -> None: ++ """ ++ Test that urllib3 can control redirects in Node.js. ++ """ ++ ++ @run_in_pyodide # type: ignore[misc] ++ def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) -> None: ++ import pytest ++ ++ from urllib3 import PoolManager, request ++ from urllib3.contrib.emscripten.fetch import _is_node_js ++ from urllib3.exceptions import MaxRetryError ++ ++ if not _is_node_js(): ++ pytest.skip("urllib3 does not control redirects in browsers.") ++ ++ redirect_url = f"http://{host}:{port}/redirect"; ++ ++ with PoolManager(retries=0) as http: ++ with pytest.raises(MaxRetryError): ++ http.request("GET", redirect_url) ++ ++ response = http.request("GET", redirect_url, redirect=False) ++ assert response.status == 303 ++ ++ with PoolManager(retries=False) as http: ++ response = http.request("GET", redirect_url) ++ assert response.status == 303 ++ ++ with pytest.raises(MaxRetryError): ++ request("GET", redirect_url, retries=0) ++ ++ response = request("GET", redirect_url, redirect=False) ++ assert response.status == 303 ++ ++ response = request("GET", redirect_url, retries=0, redirect=False) ++ assert response.status == 303 ++ ++ pyodide_test( ++ selenium_coverage, testserver_http.http_host, testserver_http.http_port ++ ) ++ ++ + def test_insecure_requests_warning( + selenium_coverage: typing.Any, testserver_http: PyodideServerInfo + ) -> None: diff -Nru python-urllib3-2.3.0/debian/patches/series python-urllib3-2.3.0/debian/patches/series --- python-urllib3-2.3.0/debian/patches/series 2025-03-12 12:20:41.000000000 +0100 +++ python-urllib3-2.3.0/debian/patches/series 2025-07-13 14:09:35.000000000 +0200 @@ -1,3 +1,5 @@ test_http2_probe_blocked_per_thread-requires_network.patch openssl-3.4.0.patch httpx-0.28.patch +CVE-2025-50181.patch +CVE-2025-50182.patch
