Merge 3229ed0 into c00a1e2

h3llrais3r · Oct 2, 2021 · 1f2ab44 · 1f2ab44
2 parents c00a1e2 + 3229ed0
commit 1f2ab44
Show file tree

Hide file tree

Showing 18 changed files with 208 additions and 71 deletions.
diff --git a/lib/urllib3/_version.py b/lib/urllib3/_version.py
@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.4"
+__version__ = "1.26.7"
diff --git a/lib/urllib3/connection.py b/lib/urllib3/connection.py
@@ -56,6 +56,7 @@ class BrokenPipeError(Exception):
 from .util.ssl_ import (
     assert_fingerprint,
     create_urllib3_context,
+    is_ipaddress,
     resolve_cert_reqs,
     resolve_ssl_version,
     ssl_wrap_socket,
@@ -107,6 +108,10 @@ class HTTPConnection(_HTTPConnection, object):
     #: Whether this connection verifies the host's certificate.
     is_verified = False
 
+    #: Whether this proxy connection (if used) verifies the proxy host's
+    #: certificate.
+    proxy_is_verified = None
+
     def __init__(self, *args, **kw):
         if not six.PY2:
             kw.pop("strict", None)
@@ -201,7 +206,7 @@ def connect(self):
         self._prepare_conn(conn)
 
     def putrequest(self, method, url, *args, **kwargs):
-        """"""
+        """ """
         # Empty docstring because the indentation of CPython's implementation
         # is broken but we don't want this method in our documentation.
         match = _CONTAINS_CONTROL_CHAR_RE.search(method)
@@ -214,7 +219,7 @@ def putrequest(self, method, url, *args, **kwargs):
         return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
 
     def putheader(self, header, *values):
-        """"""
+        """ """
         if not any(isinstance(v, str) and v == SKIP_HEADER for v in values):
             _HTTPConnection.putheader(self, header, *values)
         elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS:
@@ -249,7 +254,7 @@ def request_chunked(self, method, url, body=None, headers=None):
             self.putheader("User-Agent", _get_default_user_agent())
         for header, value in headers.items():
             self.putheader(header, value)
-        if "transfer-encoding" not in headers:
+        if "transfer-encoding" not in header_keys:
             self.putheader("Transfer-Encoding", "chunked")
         self.endheaders()
 
@@ -490,14 +495,10 @@ def _connect_tls_proxy(self, hostname, conn):
             self.ca_cert_dir,
             self.ca_cert_data,
         )
-        # By default urllib3's SSLContext disables `check_hostname` and uses
-        # a custom check. For proxies we're good with relying on the default
-        # verification.
-        ssl_context.check_hostname = True
 
         # If no cert was provided, use only the default options for server
         # certificate validation
-        return ssl_wrap_socket(
+        socket = ssl_wrap_socket(
             sock=conn,
             ca_certs=self.ca_certs,
             ca_cert_dir=self.ca_cert_dir,
@@ -506,8 +507,37 @@ def _connect_tls_proxy(self, hostname, conn):
             ssl_context=ssl_context,
         )
 
+        if ssl_context.verify_mode != ssl.CERT_NONE and not getattr(
+            ssl_context, "check_hostname", False
+        ):
+            # While urllib3 attempts to always turn off hostname matching from
+            # the TLS library, this cannot always be done. So we check whether
+            # the TLS Library still thinks it's matching hostnames.
+            cert = socket.getpeercert()
+            if not cert.get("subjectAltName", ()):
+                warnings.warn(
+                    (
+                        "Certificate for {0} has no `subjectAltName`, falling back to check for a "
+                        "`commonName` for now. This feature is being removed by major browsers and "
+                        "deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 "
+                        "for details.)".format(hostname)
+                    ),
+                    SubjectAltNameWarning,
+                )
+            _match_hostname(cert, hostname)
+
+        self.proxy_is_verified = ssl_context.verify_mode == ssl.CERT_REQUIRED
+        return socket
+
 
 def _match_hostname(cert, asserted_hostname):
+    # Our upstream implementation of ssl.match_hostname()
+    # only applies this normalization to IP addresses so it doesn't
+    # match DNS SANs so we do the same thing!
+    stripped_hostname = asserted_hostname.strip("u[]")
+    if is_ipaddress(stripped_hostname):
+        asserted_hostname = stripped_hostname
+
     try:
         match_hostname(cert, asserted_hostname)
     except CertificateError as e:

diff --git a/lib/urllib3/connectionpool.py b/lib/urllib3/connectionpool.py
@@ -318,7 +318,7 @@ def _prepare_proxy(self, conn):
         pass
 
     def _get_timeout(self, timeout):
-        """ Helper that always returns a :class:`urllib3.util.Timeout` """
+        """Helper that always returns a :class:`urllib3.util.Timeout`"""
         if timeout is _Default:
             return self.timeout.clone()
 
@@ -1014,12 +1014,23 @@ def _validate_conn(self, conn):
                 (
                     "Unverified HTTPS request is being made to host '%s'. "
                     "Adding certificate verification is strongly advised. See: "
-                    "https://urllib3.readthedocs.io/en/latest/advanced-usage.html"
+                    "https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html"
                     "#ssl-warnings" % conn.host
                 ),
                 InsecureRequestWarning,
             )
 
+        if getattr(conn, "proxy_is_verified", None) is False:
+            warnings.warn(
+                (
+                    "Unverified HTTPS connection done to an HTTPS proxy. "
+                    "Adding certificate verification is strongly advised. See: "
+                    "https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html"
+                    "#ssl-warnings"
+                ),
+                InsecureRequestWarning,
+            )
+
 
 def connection_from_url(url, **kw):
     """

diff --git a/lib/urllib3/contrib/_securetransport/low_level.py b/lib/urllib3/contrib/_securetransport/low_level.py
@@ -188,6 +188,7 @@ def _cert_array_from_pem(pem_bundle):
         # We only want to do that if an error occurs: otherwise, the caller
         # should free.
         CoreFoundation.CFRelease(cert_array)
+        raise
 
     return cert_array
 

diff --git a/lib/urllib3/contrib/appengine.py b/lib/urllib3/contrib/appengine.py
@@ -111,7 +111,7 @@ def __init__(
         warnings.warn(
             "urllib3 is using URLFetch on Google App Engine sandbox instead "
             "of sockets. To use sockets directly instead of URLFetch see "
-            "https://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html.",
+            "https://urllib3.readthedocs.io/en/1.26.x/reference/urllib3.contrib.html.",
             AppEnginePlatformWarning,
         )
 

diff --git a/lib/urllib3/contrib/ntlmpool.py b/lib/urllib3/contrib/ntlmpool.py
@@ -5,13 +5,22 @@
 """
 from __future__ import absolute_import
 
+import warnings
 from logging import getLogger
 
 from ntlm import ntlm
 
 from .. import HTTPSConnectionPool
 from ..packages.six.moves.http_client import HTTPSConnection
 
+warnings.warn(
+    "The 'urllib3.contrib.ntlmpool' module is deprecated and will be removed "
+    "in urllib3 v2.0 release, urllib3 is not able to support it properly due "
+    "to reasons listed in issue: https://github.com/urllib3/urllib3/issues/2282. "
+    "If you are a user of this module please comment in the mentioned issue.",
+    DeprecationWarning,
+)
+
 log = getLogger(__name__)
 
 

diff --git a/lib/urllib3/contrib/pyopenssl.py b/lib/urllib3/contrib/pyopenssl.py
@@ -76,6 +76,7 @@ class UnsupportedExtension(Exception):
 
 from .. import util
 from ..packages import six
+from ..util.ssl_ import PROTOCOL_TLS_CLIENT
 
 __all__ = ["inject_into_urllib3", "extract_from_urllib3"]
 
@@ -85,6 +86,7 @@ class UnsupportedExtension(Exception):
 # Map from urllib3 to PyOpenSSL compatible parameter-values.
 _openssl_versions = {
     util.PROTOCOL_TLS: OpenSSL.SSL.SSLv23_METHOD,
+    PROTOCOL_TLS_CLIENT: OpenSSL.SSL.SSLv23_METHOD,
     ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
 }
 

diff --git a/lib/urllib3/contrib/securetransport.py b/lib/urllib3/contrib/securetransport.py
@@ -67,6 +67,7 @@
 import six
 
 from .. import util
+from ..util.ssl_ import PROTOCOL_TLS_CLIENT
 from ._securetransport.bindings import CoreFoundation, Security, SecurityConst
 from ._securetransport.low_level import (
     _assert_no_error,
@@ -154,7 +155,8 @@
 # TLSv1 and a high of TLSv1.2. For everything else, we pin to that version.
 # TLSv1 to 1.2 are supported on macOS 10.8+
 _protocol_to_min_max = {
-    util.PROTOCOL_TLS: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12)
+    util.PROTOCOL_TLS: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12),
+    PROTOCOL_TLS_CLIENT: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12),
 }
 
 if hasattr(ssl, "PROTOCOL_SSLv2"):

diff --git a/lib/urllib3/contrib/socks.py b/lib/urllib3/contrib/socks.py
@@ -51,7 +51,7 @@
         (
             "SOCKS support in urllib3 requires the installation of optional "
             "dependencies: specifically, PySocks.  For more information, see "
-            "https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxies"
+            "https://urllib3.readthedocs.io/en/1.26.x/contrib.html#socks-proxies"
         ),
         DependencyWarning,
     )