[Medium] patch python-requests for CVE-2024-47081 (#14019)

jykanase · web-flow · commit efbb633174a8 · 2025-06-26T06:01:55.000+05:30
diff --git a/SPECS/python-requests/CVE-2024-47081.patch b/SPECS/python-requests/CVE-2024-47081.patch
@@ -0,0 +1,32 @@
+From a0383681fca625f7d6bfdbe1074c884ceaa1f688 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Tue, 17 Jun 2025 04:52:52 +0000
+Subject: [PATCH] CVE-2024-47081
+
+Upstream Patch Reference: https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
+---
+ requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/requests/utils.py b/requests/utils.py
+index a367417..502c7bc 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -228,13 +228,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b":"
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode("ascii")
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+-- 
+2.45.2
+
diff --git a/SPECS/python-requests/python-requests.spec b/SPECS/python-requests/python-requests.spec
@@ -1,14 +1,15 @@
 Summary:        Awesome Python HTTP Library That's Actually Usable
 Name:           python-requests
 Version:        2.31.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages/Python
 URL:            http://python-requests.org
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
 Patch0:         CVE-2024-35195.patch
+Patch1:         CVE-2024-47081.patch
 BuildArch:      noarch
 
 %description
@@ -72,6 +73,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
 %{python3_sitelib}/*
 
 %changelog
+* Tue Jun 17 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 2.31.0-3
+- Add patch for CVE-2024-47081
+
 * Fri Dec 27 2024 Archana Choudhary <archana1@microsoft.com> - 2.31.0-2
 - Add patch for CVE-2024-35195
 
