Update dependency urllib3 to v1.26.18 [SECURITY] (#11535)

* Update dependency urllib3 to v1.26.18 [SECURITY] * Update dependency urllib3 to v1.26.18 [SECURITY] * Update lib --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Dario <medariox@users.noreply.github.com>
pymedusa · Dec 11, 2023 · 1211873 · 1211873
1 parent 9946e83
commit 1211873
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 7 deletions.
diff --git a/ext/readme.md b/ext/readme.md
@@ -65,7 +65,7 @@ ext | `trans` | [2.1.0](https://pypi.org/project/trans/2.1.0/) | `imdbpie` | Fil
 ext | `ttl-cache` | [1.6](https://pypi.org/project/ttl-cache/1.6/) | **`medusa`**, `adba` | File: `ttl_cache.py`
 ext | **`tvdbapiv2`** | pymedusa/[d6d0e9d](https://github.com/pymedusa/tvdbv2/tree/d6d0e9d98071c2d646beb997b336edbb0e98dfb7) | **`medusa`** | -
 ext | `typing-extensions` | [4.1.1](https://pypi.org/project/typing-extensions/4.1.1/) | `importlib_metadata` | File: `typing_extensions.py`
-ext | **`urllib3`** | [1.26.16](https://pypi.org/project/urllib3/1.26.16/) | `requests` | -
+ext | **`urllib3`** | [1.26.18](https://pypi.org/project/urllib3/1.26.18/) | `requests` | -
 ext | **`validators`** | [0.20.0](https://pypi.org/project/validators/0.20.0/) | **`medusa`** | -
 ext | **`webencodings`** | [0.5.1](https://pypi.org/project/webencodings/0.5.1/) | `html5lib` | -
 ext | **`wrapt`** | [1.14.1](https://pypi.org/project/wrapt/1.14.1/) | `deprecated` | -

diff --git a/ext/urllib3/_collections.py b/ext/urllib3/_collections.py
@@ -268,6 +268,24 @@ def getlist(self, key, default=__marker):
         else:
             return vals[1:]
 
+    def _prepare_for_method_change(self):
+        """
+        Remove content-specific header fields before changing the request
+        method to GET or HEAD according to RFC 9110, Section 15.4.
+        """
+        content_specific_headers = [
+            "Content-Encoding",
+            "Content-Language",
+            "Content-Location",
+            "Content-Type",
+            "Content-Length",
+            "Digest",
+            "Last-Modified",
+        ]
+        for header in content_specific_headers:
+            self.discard(header)
+        return self
+
     # Backwards compatibility for httplib
     getheaders = getlist
     getallmatchingheaders = getlist

diff --git a/ext/urllib3/_version.py b/ext/urllib3/_version.py
@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.17"
+__version__ = "1.26.18"
diff --git a/ext/urllib3/connectionpool.py b/ext/urllib3/connectionpool.py
@@ -9,6 +9,7 @@
 from socket import error as SocketError
 from socket import timeout as SocketTimeout
 
+from ._collections import HTTPHeaderDict
 from .connection import (
     BaseSSLError,
     BrokenPipeError,
@@ -843,7 +844,11 @@ def _is_ssl_error_message_from_http_proxy(ssl_error):
         redirect_location = redirect and response.get_redirect_location()
         if redirect_location:
             if response.status == 303:
+                # Change the method according to RFC 9110, Section 15.4.4.
                 method = "GET"
+                # And lose the body not to transfer anything sensitive.
+                body = None
+                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
 
             try:
                 retries = retries.increment(method, url, response=response, _pool=self)

diff --git a/ext/urllib3/contrib/securetransport.py b/ext/urllib3/contrib/securetransport.py
@@ -64,9 +64,8 @@
 import threading
 import weakref
 
-import six
-
 from .. import util
+from ..packages import six
 from ..util.ssl_ import PROTOCOL_TLS_CLIENT
 from ._securetransport.bindings import CoreFoundation, Security, SecurityConst
 from ._securetransport.low_level import (

diff --git a/ext/urllib3/poolmanager.py b/ext/urllib3/poolmanager.py
@@ -4,7 +4,7 @@
 import functools
 import logging
 
-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
 from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
 from .exceptions import (
     LocationValueError,
@@ -382,9 +382,12 @@ def urlopen(self, method, url, redirect=True, **kw):
         # Support relative URLs for redirecting.
         redirect_location = urljoin(url, redirect_location)
 
-        # RFC 7231, Section 6.4.4
         if response.status == 303:
+            # Change the method according to RFC 9110, Section 15.4.4.
             method = "GET"
+            # And lose the body not to transfer anything sensitive.
+            kw["body"] = None
+            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
 
         retries = kw.get("retries")
         if not isinstance(retries, Retry):

diff --git a/requirements.txt b/requirements.txt
@@ -38,5 +38,5 @@ tornado==6.1
 tornroutes==0.5.1
 ttl-cache==1.6
 tvdbapiv2 @ https://codeload.github.com/pymedusa/tvdbv2/tar.gz/d6d0e9d98071c2d646beb997b336edbb0e98dfb7
-urllib3==1.26.17
+urllib3==1.26.18
 validators==0.20.0