| Message ID | 20260504112321.1912618-1-namanj1@kpit.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta,scarthgap] python3-urllib3: fix CVE-2025-50182 | expand |
I think this is the same as was already submitted and then rejected under https://lists.openembedded.org/g/openembedded-core/message/220031 Peter > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Naman Jain via > lists.openembedded.org > Sent: Monday, May 4, 2026 1:23 PM > To: openembedded-core@lists.openembedded.org > Cc: sana.kazi@bmwtechworks.in > Subject: [OE-core] [meta][scarthgap][PATCH] python3-urllib3: fix CVE-2025-50182 > > From: Yogita Urade <yogita.urade@windriver.com> > > urllib3 is a user-friendly HTTP client library for Python. Prior > to 2.5.0, urllib3 does not control redirects in browsers and > Node.js. urllib3 supports being used in a Pyodide runtime utilizing > the JavaScript Fetch API or falling back on XMLHttpRequest. This > means Python libraries can be used to make HTTP requests from a > browser or Node.js. Additionally, urllib3 provides a mechanism to > control redirects, but the retries and redirect parameters are > ignored with Pyodide; the runtime itself determines redirect > behavior. This issue has been patched in version 2.5.0. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2025-50182 > > Upstream patch: > https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e97 > 36194f > > (From OE-Core rev: 082b865d9814e7e7aca4466551a035199aa8b563) > > Signed-off-by: Yogita Urade <yogita.urade@windriver.com> > Signed-off-by: Steve Sakoman <steve@sakoman.com> > (cherry picked from commit 0372024fe7ab2cea5eddf686f9bee0f8f07a2000) > Signed-off-by: Sana Kazi <sana.kazi@bmwtechworks.in> > --- > .../python3-urllib3/CVE-2025-50182.patch | 112 ++++++++++++++++++ > .../python/python3-urllib3_2.2.2.bb | 1 + > 2 files changed, 113 insertions(+) > create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025- > 50182.patch > > diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch > b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch > new file mode 100644 > index 0000000000..3c0efec119 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch > @@ -0,0 +1,112 @@ > +From 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f Mon Sep 17 00:00:00 > 2001 > +From: Illia Volochii <illia.volochii@gmail.com> > +Date: Wed, 18 Jun 2025 16:30:35 +0300 > +Subject: [PATCH] Merge commit from fork > + > +CVE: CVE-2025-50182 > +Upstream-Status: Backport > [https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e97 > 36194f] > + > +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> > +--- > + docs/reference/contrib/emscripten.rst | 2 +- > + src/urllib3/contrib/emscripten/fetch.py | 20 ++++++++++ > + test/contrib/emscripten/test_emscripten.py | 46 ++++++++++++++++++++++ > + 3 files changed, 67 insertions(+), 1 deletion(-) > + > +diff --git a/docs/reference/contrib/emscripten.rst > b/docs/reference/contrib/emscripten.rst > +index a8f1cda..4670757 100644 > +--- a/docs/reference/contrib/emscripten.rst > ++++ b/docs/reference/contrib/emscripten.rst > +@@ -68,7 +68,7 @@ Features which are usable with Emscripte > + * Timeouts > + * Retries > + * Streaming (with Web Workers and Cross-Origin Isolation) > +-* Redirects (determined by browser/runtime, not restrictable with urllib3) > ++* Redirects (urllib3 controls redirects in Node.js but not in browsers where > behavior is determined by runtime) > + * Decompressing response bodies > + > + Features which don't work with Emscripten: > +diff --git a/src/urllib3/contrib/emscripten/fetch.py > b/src/urllib3/contrib/emscripten/fetch.py > +index a514306..6695821 100644 > +--- a/src/urllib3/contrib/emscripten/fetch.py > ++++ b/src/urllib3/contrib/emscripten/fetch.py > +@@ -403,6 +403,21 @@ def send_request(request: EmscriptenRequ > + raise _RequestError(err.message, request=request) > + > + > ++def _is_node_js() -> bool: > ++ """ > ++ Check if we are in Node.js. > ++ > ++ :return: True if we are in Node.js. > ++ :rtype: bool > ++ """ > ++ return ( > ++ hasattr(js, "process") > ++ and hasattr(js.process, "release") > ++ # According to the Node.js documentation, the release name is always > "node". > ++ and js.process.release.name == "node" > ++ ) > ++ > ++ > + def streaming_ready() -> bool | None: > + if _fetcher: > + return _fetcher.streaming_ready > +diff --git a/test/contrib/emscripten/test_emscripten.py > b/test/contrib/emscripten/test_emscripten.py > +index 5eaa674..fbf89fc 100644 > +--- a/test/contrib/emscripten/test_emscripten.py > ++++ b/test/contrib/emscripten/test_emscripten.py > +@@ -964,6 +964,51 @@ def test_redirects( > + selenium_coverage, testserver_http.http_host, testserver_http.http_port > + ) > + > ++@pytest.mark.with_jspi > ++def test_disabled_redirects( > ++ selenium_coverage: typing.Any, testserver_http: PyodideServerInfo > ++) -> None: > ++ """ > ++ Test that urllib3 can control redirects in Node.js. > ++ """ > ++ > ++ @run_in_pyodide # type: ignore[misc] > ++ def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) -> None: > ++ import pytest > ++ > ++ from urllib3 import PoolManager, request > ++ from urllib3.contrib.emscripten.fetch import _is_node_js > ++ from urllib3.exceptions import MaxRetryError > ++ > ++ if not _is_node_js(): > ++ pytest.skip("urllib3 does not control redirects in browsers.") > ++ > ++ redirect_url = f"http://{host}:{port}/redirect" > ++ > ++ with PoolManager(retries=0) as http: > ++ with pytest.raises(MaxRetryError): > ++ http.request("GET", redirect_url) > ++ > ++ response = http.request("GET", redirect_url, redirect=False) > ++ assert response.status == 303 > ++ > ++ with PoolManager(retries=False) as http: > ++ response = http.request("GET", redirect_url) > ++ assert response.status == 303 > ++ > ++ with pytest.raises(MaxRetryError): > ++ request("GET", redirect_url, retries=0) > ++ > ++ response = request("GET", redirect_url, redirect=False) > ++ assert response.status == 303 > ++ > ++ response = request("GET", redirect_url, retries=0, redirect=False) > ++ assert response.status == 303 > ++ > ++ pyodide_test( > ++ selenium_coverage, testserver_http.http_host, testserver_http.http_port > ++ ) > ++ > + > + @install_urllib3_wheel() > + def test_insecure_requests_warning( > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb b/meta/recipes- > devtools/python/python3-urllib3_2.2.2.bb > index f6ac8f89ca..19c51b68a7 100644 > --- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb > +++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb > @@ -12,6 +12,7 @@ SRC_URI += " \ > file://CVE-2025-66418.patch \ > file://CVE-2025-66471.patch \ > file://CVE-2026-21441.patch \ > + file://CVE-2025-50182.patch \ > " > > RDEPENDS:${PN} += "\ > -- > 2.34.1
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch new file mode 100644 index 0000000000..3c0efec119 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch @@ -0,0 +1,112 @@ +From 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f Mon Sep 17 00:00:00 2001 +From: Illia Volochii <illia.volochii@gmail.com> +Date: Wed, 18 Jun 2025 16:30:35 +0300 +Subject: [PATCH] Merge commit from fork + +CVE: CVE-2025-50182 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + docs/reference/contrib/emscripten.rst | 2 +- + src/urllib3/contrib/emscripten/fetch.py | 20 ++++++++++ + test/contrib/emscripten/test_emscripten.py | 46 ++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 1 deletion(-) + +diff --git a/docs/reference/contrib/emscripten.rst b/docs/reference/contrib/emscripten.rst +index a8f1cda..4670757 100644 +--- a/docs/reference/contrib/emscripten.rst ++++ b/docs/reference/contrib/emscripten.rst +@@ -68,7 +68,7 @@ Features which are usable with Emscripte + * Timeouts + * Retries + * Streaming (with Web Workers and Cross-Origin Isolation) +-* Redirects (determined by browser/runtime, not restrictable with urllib3) ++* Redirects (urllib3 controls redirects in Node.js but not in browsers where behavior is determined by runtime) + * Decompressing response bodies + + Features which don't work with Emscripten: +diff --git a/src/urllib3/contrib/emscripten/fetch.py b/src/urllib3/contrib/emscripten/fetch.py +index a514306..6695821 100644 +--- a/src/urllib3/contrib/emscripten/fetch.py ++++ b/src/urllib3/contrib/emscripten/fetch.py +@@ -403,6 +403,21 @@ def send_request(request: EmscriptenRequ + raise _RequestError(err.message, request=request) + + ++def _is_node_js() -> bool: ++ """ ++ Check if we are in Node.js. ++ ++ :return: True if we are in Node.js. ++ :rtype: bool ++ """ ++ return ( ++ hasattr(js, "process") ++ and hasattr(js.process, "release") ++ # According to the Node.js documentation, the release name is always "node". ++ and js.process.release.name == "node" ++ ) ++ ++ + def streaming_ready() -> bool | None: + if _fetcher: + return _fetcher.streaming_ready +diff --git a/test/contrib/emscripten/test_emscripten.py b/test/contrib/emscripten/test_emscripten.py +index 5eaa674..fbf89fc 100644 +--- a/test/contrib/emscripten/test_emscripten.py ++++ b/test/contrib/emscripten/test_emscripten.py +@@ -964,6 +964,51 @@ def test_redirects( + selenium_coverage, testserver_http.http_host, testserver_http.http_port + ) + ++@pytest.mark.with_jspi ++def test_disabled_redirects( ++ selenium_coverage: typing.Any, testserver_http: PyodideServerInfo ++) -> None: ++ """ ++ Test that urllib3 can control redirects in Node.js. ++ """ ++ ++ @run_in_pyodide # type: ignore[misc] ++ def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) -> None: ++ import pytest ++ ++ from urllib3 import PoolManager, request ++ from urllib3.contrib.emscripten.fetch import _is_node_js ++ from urllib3.exceptions import MaxRetryError ++ ++ if not _is_node_js(): ++ pytest.skip("urllib3 does not control redirects in browsers.") ++ ++ redirect_url = f"http://{host}:{port}/redirect" ++ ++ with PoolManager(retries=0) as http: ++ with pytest.raises(MaxRetryError): ++ http.request("GET", redirect_url) ++ ++ response = http.request("GET", redirect_url, redirect=False) ++ assert response.status == 303 ++ ++ with PoolManager(retries=False) as http: ++ response = http.request("GET", redirect_url) ++ assert response.status == 303 ++ ++ with pytest.raises(MaxRetryError): ++ request("GET", redirect_url, retries=0) ++ ++ response = request("GET", redirect_url, redirect=False) ++ assert response.status == 303 ++ ++ response = request("GET", redirect_url, retries=0, redirect=False) ++ assert response.status == 303 ++ ++ pyodide_test( ++ selenium_coverage, testserver_http.http_host, testserver_http.http_port ++ ) ++ + + @install_urllib3_wheel() + def test_insecure_requests_warning( +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb index f6ac8f89ca..19c51b68a7 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb @@ -12,6 +12,7 @@ SRC_URI += " \ file://CVE-2025-66418.patch \ file://CVE-2025-66471.patch \ file://CVE-2026-21441.patch \ + file://CVE-2025-50182.patch \ " RDEPENDS:${PN} += "\