!161 [sync] PR-160: fix CVE-2023-45803 and CVE-2024-37891

From: @openeuler-sync-bot 
Reviewed-by: @zhuchunyi 
Signed-off-by: @zhuchunyi

backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch

@@ -0,0 +1,99 @@
+From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Tue, 17 Oct 2023 19:35:39 +0300
+Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
+
+Conflict:Files dummyserver/handlers.py, test/with_dummyserver/test_connectionpool.py
+and test/with_dummyserver/test_poolmanager.py do not exist. Therefore, no dummy server
+and test case is involved.
+Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
+
+---
+ src/pip/_vendor/urllib3/_collections.py   | 18 ++++++++++++++++++
+ src/pip/_vendor/urllib3/connectionpool.py |  5 +++++
+ src/pip/_vendor/urllib3/poolmanager.py    |  7 +++++--
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
+index da9857e..bceb845 100644
+--- a/src/pip/_vendor/urllib3/_collections.py
++++ b/src/pip/_vendor/urllib3/_collections.py
+@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
+         else:
+             return vals[1:]
+ 
++    def _prepare_for_method_change(self):
++        """
++        Remove content-specific header fields before changing the request
++        method to GET or HEAD according to RFC 9110, Section 15.4.
++        """
++        content_specific_headers = [
++            "Content-Encoding",
++            "Content-Language",
++            "Content-Location",
++            "Content-Type",
++            "Content-Length",
++            "Digest",
++            "Last-Modified",
++        ]
++        for header in content_specific_headers:
++            self.discard(header)
++        return self
++
+     # Backwards compatibility for httplib
+     getheaders = getlist
+     getallmatchingheaders = getlist
+diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
+index 96844d9..5a6adcb 100644
+--- a/src/pip/_vendor/urllib3/connectionpool.py
++++ b/src/pip/_vendor/urllib3/connectionpool.py
+@@ -9,6 +9,7 @@ import warnings
+ from socket import error as SocketError
+ from socket import timeout as SocketTimeout
+ 
++from ._collections import HTTPHeaderDict
+ from .connection import (
+     BaseSSLError,
+     BrokenPipeError,
+@@ -843,7 +844,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+         redirect_location = redirect and response.get_redirect_location()
+         if redirect_location:
+             if response.status == 303:
++                # Change the method according to RFC 9110, Section 15.4.4.
+                 method = "GET"
++                # And lose the body not to transfer anything sensitive.
++                body = None
++                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
+index 14b10da..fb51bf7 100644
+--- a/src/pip/_vendor/urllib3/poolmanager.py
++++ b/src/pip/_vendor/urllib3/poolmanager.py
+@@ -4,7 +4,7 @@ import collections
+ import functools
+ import logging
+ 
+-from ._collections import RecentlyUsedContainer
++from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
+ from .exceptions import (
+     LocationValueError,
+@@ -382,9 +382,12 @@ class PoolManager(RequestMethods):
+         # Support relative URLs for redirecting.
+         redirect_location = urljoin(url, redirect_location)
+ 
+-        # RFC 7231, Section 6.4.4
+         if response.status == 303:
++            # Change the method according to RFC 9110, Section 15.4.4.
+             method = "GET"
++            # And lose the body not to transfer anything sensitive.
++            kw["body"] = None
++            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+         retries = kw.get("retries")
+         if not isinstance(retries, Retry):
+-- 
+2.26.2.windows.1
+

backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch

@@ -0,0 +1,33 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+Conflict:Files test/test_retry.py and test/with_dummyserver/test_poolmanager.py do not
+exist. Therefore, no test case is involved.
+Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index 60ef6c4..9a1e90d 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
++++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -235,7 +235,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+-- 
+2.26.2.windows.1
+

pip.loongarch.conf

@@ -0,0 +1,8 @@
+[global]
+timeout = 60
+index-url = https://pypi.loongnix.cn/loongson/pypi
+extra-index-url = https://pypi.org/simple
+[install]
+trusted-host =
+    pypi.loongnix.cn
+    pypi.org

python-pip.spec

@@ -5,15 +5,18 @@
 pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes.
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
-Version:        22.3.1
+Version:        23.3.1
-Release:        1
+Release:        2
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
 Source0:        %{pypi_source} 
+Source1:        pip.loongarch.conf
 BuildArch:      noarch
 Patch1:         remove-existing-dist-only-if-path-conflicts.patch
 Patch6000:      dummy-certifi.patch
+Patch6001:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+Patch6002:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 
 Source10: 	pip-allow-older-versions.patch
 
@@ -43,7 +46,13 @@ A Python wheel of pip to use with venv
 
 # this goes together with Patch6000
 rm src/pip/_vendor/certifi/*.pem
-sed -i '/\.pem$/d' src/pip.egg-info/SOURCES.txt
+#sed -i '/\.pem$/d' src/pip.egg-info/SOURCES.txt
+sed -i '/html_theme = "furo"/d' docs/html/conf.py
+
+# Remove windows executable binaries
+rm -v src/pip/_vendor/distlib/*.exe
+sed -i '/\.exe/d' setup.py
+
 
 %build
 %py3_build_wheel
@@ -97,9 +106,16 @@ rm %{buildroot}%{python3_sitelib}/pip-%{version}.dist-info/RECORD
 mkdir -p %{buildroot}%{python_wheeldir}
 install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 
+# Set default pip mirror via pip.conf
+%ifarch loongarch64
+install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
+%endif
 
 %files -n python%{python3_pkgversion}-%{srcname}
 %license LICENSE.txt
+%ifarch loongarch64
+%config(noreplace) %{_sysconfdir}/pip.conf
+%endif
 %{_bindir}/pip
 %{_bindir}/pip3
 %{_bindir}/pip-3*
@@ -118,6 +134,44 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 23.3.1-2
+- Fix CVE-2023-45803 and CVE-2024-37891
+
+* Wed Jan 31 2024 gengqihu <gengqihu2@h-partners.com> - 23.3.1-1
+- update version to 23.3.1
+- Fix parallel pip cache downloads causing crash (#12364)
+- Upgrade urllib3 to 1.26.17 (#12343)
+- Fix zsh completion script (#12173)
+- Fix #12166
+- Move the setuptools settings into pyproject.toml
+- Use `-r=...` instead of `-r ...` for hg
+- Drop isort and flake8 settings from setup.cfg
+- Follow imports for more vendored dependencies
+- Enable mypy's strict equality checks (#12209)
+- Fixed argument name in docstring
+- Allow truststore to not import on Python 3.9 and earlier
+- Vendor truststore
+- Fix formatting, combine numbers not strings!
+- Remove uses of `utcnow` in non-vendored code (#12006)
+- Fix issues raised in code review
+- move test_download_metadata mock pypi index utilities to conftest.py
+- Use strict optional checking in req_install.py (#11379)
+- Fix 'force' remove file without write permissions
+- Dropped unused attribute
+- Fix Pytest --use-venv init
+- Limit the double download fix to wheels
+- Fix slowness on Python 3.11 when updating an existing large environment.
+- Fix `pip completion --zsh`
+
+* Fri Sep 08 2023 zhuofeng <zhuofeng2@huawei.com> - 23.1.2-3
+- fix that pip install failed
+
+* Sun Jul 30 2023 Funda Wang <fundawang@yeah.net> - 23.1.2-2
+- Use local mirrors for pip
+
+* Fri Jun  9 2023 dillon chen <dillon.chen@gmail.com> - 23.1.2-1
+- upgrade version to 23.1.2
+
 * Sat Jan 28 2023 zhuofeng<zhuofeng2@huawei.com> - 22.3.1-1                                          
 - upgrade version to 22.3.1