fix CVE-2024-37891

(cherry picked from commit e5a46544afed0d33a9025815cda94e60aee7bd41)

backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch

@@ -0,0 +1,73 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+
+Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified
+because it has been deleted in the pre-phase of the spec file
+Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
+
+---
+ CHANGES.rst               | 6 ++++++
+ src/urllib3/util/retry.py | 4 +++-
+ test/test_retry.py        | 6 +++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index 123953e..1a6f704 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -1,6 +1,12 @@
+ Changes
+ =======
+ 
++2.2.2 (2024-06-17)
++==================
++
++- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a di
++fferent host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
++
+ 1.26.12 (2022-08-22)
+ --------------------
+ 
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index f727602..4a6eb0d 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -235,7 +235,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index 6475f2a..a0463e4 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -296,7 +296,11 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
++        assert retry.remove_headers_on_redirect == {
++            "authorization",
++            "proxy-authorization",
++            "cookie",
++        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+-- 
+2.33.0
+

python-urllib3.spec

@@ -3,7 +3,7 @@
 
 Name:           python-%{srcname}
 Version:        1.26.12
-Release:        6
+Release:        7
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@@ -19,6 +19,7 @@ Patch6004:      backport-Remove-Exclamation-mark-character-from-the-unreserved-c
 Patch6005:      backport-Fix-_idna_encode-handling-of-x80.patch
 Patch6006:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
 Patch6007:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+Patch6008:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 
 BuildArch:      noarch
 
@@ -84,6 +85,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 
 %changelog
+* Tue Jun 25 2024 chengyechun <chengyechun1@huawei.com> - 1.26.12-7
+- Type:CVE
+- CVE:CVE-2024-37891
+- SUG:NA
+- DESC:fix CVE-2024-37891 Strip Proxy-Authorization header on redirects
+
 * Fri Nov 03 2023 chengyechun <chengyechun1@huawei.com> - 1.26.12-6
 - Type:CVE
 - CVE:CVE-2023-45803