debian/0000775000000000000000000000000013357424155007201 5ustar debian/watch0000664000000000000000000000012412231303432010207 0ustar version=3 https://pypi.python.org/packages/source/r/requests/requests-(.*)\.tar\.gz debian/source/0000775000000000000000000000000011770437422010477 5ustar debian/source/format0000664000000000000000000000001411573512405011701 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212161114653010366 0ustar 9 debian/clean0000664000000000000000000000002412231303432010162 0ustar requests.egg-info/* debian/docs0000664000000000000000000000001311573512405010040 0ustar README.rst debian/patches/0000775000000000000000000000000013357423676010637 5ustar debian/patches/02_use-system-chardet-and-urllib3.patch0000664000000000000000000000716312272023754020014 0ustar Description: Use the system python-chardet and python-urllib3 instead of the embedded copies. Author: Daniele Tricoli Forwarded: not-needed Last-Update: 2014-01-27 --- a/requests/adapters.py +++ b/requests/adapters.py @@ -11,18 +11,18 @@ import socket from .models import Response -from .packages.urllib3.poolmanager import PoolManager, proxy_from_url -from .packages.urllib3.response import HTTPResponse -from .packages.urllib3.util import Timeout as TimeoutSauce +from urllib3.poolmanager import PoolManager, proxy_from_url +from urllib3.response import HTTPResponse +from urllib3.util import Timeout as TimeoutSauce from .compat import urlparse, basestring, urldefrag, unquote from .utils import (DEFAULT_CA_BUNDLE_PATH, get_encoding_from_headers, except_on_missing_scheme, get_auth_from_url) from .structures import CaseInsensitiveDict -from .packages.urllib3.exceptions import MaxRetryError -from .packages.urllib3.exceptions import TimeoutError -from .packages.urllib3.exceptions import SSLError as _SSLError -from .packages.urllib3.exceptions import HTTPError as _HTTPError -from .packages.urllib3.exceptions import ProxyError as _ProxyError +from urllib3.exceptions import MaxRetryError +from urllib3.exceptions import TimeoutError +from urllib3.exceptions import SSLError as _SSLError +from urllib3.exceptions import HTTPError as _HTTPError +from urllib3.exceptions import ProxyError as _ProxyError from .cookies import extract_cookies_to_jar from .exceptions import ConnectionError, Timeout, SSLError, ProxyError from .auth import _basic_auth_str --- a/requests/compat.py +++ b/requests/compat.py @@ -4,7 +4,7 @@ pythoncompat """ -from .packages import chardet +import chardet import sys @@ -89,7 +89,7 @@ import cookielib from Cookie import Morsel from StringIO import StringIO - from .packages.urllib3.packages.ordered_dict import OrderedDict + from urllib3.packages.ordered_dict import OrderedDict from httplib import IncompleteRead builtin_str = str --- a/requests/models.py +++ b/requests/models.py @@ -17,10 +17,10 @@ from .auth import HTTPBasicAuth from .cookies import cookiejar_from_dict, get_cookie_header -from .packages.urllib3.fields import RequestField -from .packages.urllib3.filepost import encode_multipart_formdata -from .packages.urllib3.util import parse_url -from .packages.urllib3.exceptions import DecodeError +from urllib3.fields import RequestField +from urllib3.filepost import encode_multipart_formdata +from urllib3.util import parse_url +from urllib3.exceptions import DecodeError from .exceptions import ( HTTPError, RequestException, MissingSchema, InvalidURL, ChunkedEncodingError, ContentDecodingError) --- a/setup.py +++ b/setup.py @@ -16,12 +16,6 @@ packages = [ 'requests', - 'requests.packages', - 'requests.packages.chardet', - 'requests.packages.urllib3', - 'requests.packages.urllib3.packages', - 'requests.packages.urllib3.contrib', - 'requests.packages.urllib3.packages.ssl_match_hostname' ] requires = [] --- a/requests/__init__.py +++ b/requests/__init__.py @@ -50,7 +50,7 @@ # Attempt to enable urllib3's SNI support, if possible try: - from .packages.urllib3.contrib import pyopenssl + from urllib3.contrib import pyopenssl pyopenssl.inject_into_urllib3() except ImportError: pass --- a/requests/exceptions.py +++ b/requests/exceptions.py @@ -7,7 +7,7 @@ This module contains the set of Requests' exceptions. """ -from .packages.urllib3.exceptions import HTTPError as BaseHTTPError +from urllib3.exceptions import HTTPError as BaseHTTPError class RequestException(IOError): debian/patches/series0000664000000000000000000000030013357423676012045 0ustar 01_use-system-ca-certificates.patch 02_use-system-chardet-and-urllib3.patch CVE-2014-1829.patch CVE-2014-1830.patch CVE-2015-2296.patch use-setuptools-for-wheel-only.diff CVE-2018-18074.patch debian/patches/01_use-system-ca-certificates.patch0000664000000000000000000000170112136773240017306 0ustar Description: Use the bundle provided by ca-certificates instead of the embedded one. Author: Daniele Tricoli Forwarded: not-needed Last-Update: 2013-01-19 --- a/requests/certs.py 2013-04-25 22:54:02.000000000 +0000 +++ b/requests/certs.py 2013-04-25 22:54:34.000000000 +0000 @@ -18,7 +18,7 @@ def where(): """Return the preferred certificate bundle.""" # vendored bundle inside Requests - return os.path.join(os.path.dirname(__file__), 'cacert.pem') + return '/etc/ssl/certs/ca-certificates.crt' if __name__ == '__main__': print(where()) --- a/setup.py +++ b/setup.py @@ -35,7 +35,7 @@ author_email='me@kennethreitz.com', url='http://python-requests.org', packages=packages, - package_data={'': ['LICENSE', 'NOTICE'], 'requests': ['*.pem']}, + package_data={'': ['LICENSE', 'NOTICE'],}, package_dir={'requests': 'requests'}, include_package_data=True, install_requires=requires, debian/patches/CVE-2014-1830.patch0000664000000000000000000001766312412632634013252 0ustar Description: fix Proxy-Authorization header disclosure on redirect Origin: backport, https://github.com/kennethreitz/requests/commit/97cf16e958a948ecf30c3019ae94f2e7ec7dcb7f Origin: backport, https://github.com/kennethreitz/requests/commit/4d8cb3244e8e4f84b250c10a48e025f9a8bf6137 Origin: backport, https://github.com/kennethreitz/requests/commit/4f6dca42ea0fb3d1c4706e63e594e43f7a3237f7 Origin: backport, https://github.com/kennethreitz/requests/commit/8d693a2a27d0a073c0d03823cab71a3716001285 Origin: backport, https://github.com/kennethreitz/requests/commit/90f73378582e4e2cbc75a189a2cfa7826824f29e Origin: backport, https://github.com/kennethreitz/requests/commit/459f8dfccb7ee2e1dc9e041b7aebc2392219c35e Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 Bug: https://github.com/kennethreitz/requests/issues/1885 Index: requests-2.2.1/requests/sessions.py =================================================================== --- requests-2.2.1.orig/requests/sessions.py 2014-09-30 16:11:30.649293951 -0400 +++ requests-2.2.1/requests/sessions.py 2014-09-30 16:11:54.725293578 -0400 @@ -12,6 +12,7 @@ from collections import Mapping from datetime import datetime +from .auth import _basic_auth_str from .compat import cookielib, OrderedDict, urljoin, urlparse, builtin_str from .cookies import ( cookiejar_from_dict, extract_cookies_to_jar, RequestsCookieJar, merge_cookies) @@ -23,7 +24,10 @@ from .adapters import HTTPAdapter -from .utils import requote_uri, get_environ_proxies, get_netrc_auth +from .utils import ( + requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies, + get_auth_from_url +) from .status_codes import codes REDIRECT_STATI = ( @@ -157,22 +161,15 @@ prepared_request._cookies.update(self.cookies) prepared_request.prepare_cookies(prepared_request._cookies) - if 'Authorization' in headers: - # If we get redirected to a new host, we should strip out any - # authentication headers. - original_parsed = urlparse(resp.request.url) - redirect_parsed = urlparse(url) - - if (original_parsed.hostname != redirect_parsed.hostname): - del headers['Authorization'] - - # .netrc might have more auth for us. - new_auth = get_netrc_auth(url) if self.trust_env else None - if new_auth is not None: - prepared_request.prepare_auth(new_auth) + # Rebuild auth and proxy information. + proxies = self.rebuild_proxies(prepared_request, proxies) + self.rebuild_auth(prepared_request, resp) + + # Override the original request. + req = prepared_request resp = self.send( - prepared_request, + req, stream=stream, timeout=timeout, verify=verify, @@ -186,6 +183,68 @@ i += 1 yield resp + def rebuild_auth(self, prepared_request, response): + """ + When being redirected we may want to strip authentication from the + request to avoid leaking credentials. This method intelligently removes + and reapplies authentication where possible to avoid credential loss. + """ + headers = prepared_request.headers + url = prepared_request.url + + if 'Authorization' in headers: + # If we get redirected to a new host, we should strip out any + # authentication headers. + original_parsed = urlparse(response.request.url) + redirect_parsed = urlparse(url) + + if (original_parsed.hostname != redirect_parsed.hostname): + del headers['Authorization'] + + # .netrc might have more auth for us on our new host. + new_auth = get_netrc_auth(url) if self.trust_env else None + if new_auth is not None: + prepared_request.prepare_auth(new_auth) + + return + + def rebuild_proxies(self, prepared_request, proxies): + """ + This method re-evaluates the proxy configuration by considering the + environment variables. If we are redirected to a URL covered by + NO_PROXY, we strip the proxy configuration. Otherwise, we set missing + proxy keys for this URL (in case they were stripped by a previous + redirect). + + This method also replaces the Proxy-Authorization header where + necessary. + """ + headers = prepared_request.headers + url = prepared_request.url + scheme = urlparse(url).scheme + new_proxies = proxies.copy() if proxies is not None else {} + + if self.trust_env and not should_bypass_proxies(url): + environ_proxies = get_environ_proxies(url) + + proxy = environ_proxies.get(scheme) + + if proxy: + new_proxies.setdefault(scheme, environ_proxies[scheme]) + + if 'Proxy-Authorization' in headers: + del headers['Proxy-Authorization'] + + try: + username, password = get_auth_from_url(new_proxies[scheme]) + except KeyError: + username, password = None, None + + if username and password: + headers['Proxy-Authorization'] = _basic_auth_str(username, password) + + return new_proxies + class Session(SessionRedirectMixin): """A Requests session. Index: requests-2.2.1/test_requests.py =================================================================== --- requests-2.2.1.orig/test_requests.py 2014-01-23 13:23:01.000000000 -0500 +++ requests-2.2.1/test_requests.py 2014-09-30 16:11:48.805293669 -0400 @@ -8,6 +8,7 @@ import os import pickle import unittest +import collections import requests import pytest @@ -18,6 +19,7 @@ from requests.cookies import cookiejar_from_dict, morsel_to_cookie from requests.exceptions import InvalidURL, MissingSchema from requests.structures import CaseInsensitiveDict +from requests.sessions import SessionRedirectMixin try: import StringIO @@ -1166,5 +1168,64 @@ morsel_to_cookie(morsel) +SendCall = collections.namedtuple('SendCall', ('args', 'kwargs')) + + +class RedirectSession(SessionRedirectMixin): + def __init__(self, order_of_redirects): + self.redirects = order_of_redirects + self.calls = [] + self.max_redirects = 30 + self.cookies = {} + self.trust_env = False + + def send(self, *args, **kwargs): + self.calls.append(SendCall(args, kwargs)) + return self.build_response() + + def build_response(self): + request = self.calls[-1].args[0] + r = requests.Response() + + try: + r.status_code = int(self.redirects.pop(0)) + except IndexError: + r.status_code = 200 + + r.headers = CaseInsensitiveDict({'Location': '/'}) + r.raw = self._build_raw() + r.request = request + return r + + def _build_raw(self): + string = StringIO.StringIO('') + setattr(string, 'release_conn', lambda *args: args) + return string + + +class TestRedirects: + default_keyword_args = { + 'stream': False, + 'verify': True, + 'cert': None, + 'timeout': None, + 'allow_redirects': False, + 'proxies': None, + } + + def test_requests_are_updated_each_time(self): + session = RedirectSession([303, 307]) + prep = requests.Request('POST', 'http://httpbin.org/post').prepare() + r0 = session.send(prep) + assert r0.request.method == 'POST' + assert session.calls[-1] == SendCall((r0.request,), {}) + redirect_generator = session.resolve_redirects(r0, prep) + for response in redirect_generator: + assert response.request.method == 'GET' + send_call = SendCall((response.request,), + TestRedirects.default_keyword_args) + assert session.calls[-1] == send_call + + if __name__ == '__main__': unittest.main() debian/patches/CVE-2015-2296.patch0000664000000000000000000000143512501541044013241 0ustar Description: Don't ascribe cookies to new domains on redirect Author: Cory Benfield Origin: upstream, https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780506 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-requests/+bug/1432555 --- a/requests/sessions.py +++ b/requests/sessions.py @@ -157,7 +157,7 @@ except KeyError: pass - extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) + extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) prepared_request._cookies.update(self.cookies) prepared_request.prepare_cookies(prepared_request._cookies) debian/patches/CVE-2014-1829.patch0000664000000000000000000000736512412633732013260 0ustar Description: fix Authorization header disclosure on redirect Origin: backport, https://github.com/kennethreitz/requests/commit/6d7e8a97bbefa287366bc5d0b0b8f789532e853a Origin: backport, https://github.com/kennethreitz/requests/commit/f1893c835570d72823c970fbd6e0e42c13b1f0f2 Origin: backport, https://github.com/kennethreitz/requests/commit/f74f5e3ebf0943163cd21b93fb682f790277aa19 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 Bug: https://github.com/kennethreitz/requests/issues/1885 Index: requests-2.2.1/requests/sessions.py =================================================================== --- requests-2.2.1.orig/requests/sessions.py 2014-09-30 19:06:44.065131062 -0400 +++ requests-2.2.1/requests/sessions.py 2014-09-30 19:06:44.061131062 -0400 @@ -153,11 +153,24 @@ except KeyError: pass - extract_cookies_to_jar(prepared_request._cookies, - prepared_request, resp.raw) + extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) prepared_request._cookies.update(self.cookies) prepared_request.prepare_cookies(prepared_request._cookies) + if 'Authorization' in headers: + # If we get redirected to a new host, we should strip out any + # authentication headers. + original_parsed = urlparse(resp.request.url) + redirect_parsed = urlparse(url) + + if (original_parsed.hostname != redirect_parsed.hostname): + del headers['Authorization'] + + # .netrc might have more auth for us. + new_auth = get_netrc_auth(url) if self.trust_env else None + if new_auth is not None: + prepared_request.prepare_auth(new_auth) + resp = self.send( prepared_request, stream=stream, Index: requests-2.2.1/requests/utils.py =================================================================== --- requests-2.2.1.orig/requests/utils.py 2014-01-23 13:23:01.000000000 -0500 +++ requests-2.2.1/requests/utils.py 2014-09-30 19:06:59.105130829 -0400 @@ -466,9 +466,10 @@ return True -def get_environ_proxies(url): - """Return a dict of environment proxies.""" - +def should_bypass_proxies(url): + """ + Returns whether we should bypass proxies or not. + """ get_proxy = lambda k: os.environ.get(k) or os.environ.get(k.upper()) # First check whether no_proxy is defined. If it is, check that the URL @@ -486,13 +487,13 @@ for proxy_ip in no_proxy: if is_valid_cidr(proxy_ip): if address_in_network(ip, proxy_ip): - return {} + return True else: for host in no_proxy: if netloc.endswith(host) or netloc.split(':')[0].endswith(host): # The URL does match something in no_proxy, so we don't want # to apply the proxies on this URL. - return {} + return True # If the system proxy settings indicate that this URL should be bypassed, # don't proxy. @@ -506,12 +507,16 @@ bypass = False if bypass: - return {} + return True - # If we get here, we either didn't have no_proxy set or we're not going - # anywhere that no_proxy applies to, and the system settings don't require - # bypassing the proxy for the current URL. - return getproxies() + return False + +def get_environ_proxies(url): + """Return a dict of environment proxies.""" + if should_bypass_proxies(url): + return {} + else: + return getproxies() def default_user_agent(name="python-requests"): debian/patches/use-setuptools-for-wheel-only.diff0000664000000000000000000000060312502136377017336 0ustar Index: b/setup.py =================================================================== --- a/setup.py +++ b/setup.py @@ -5,9 +5,11 @@ import requests -try: +# just build the wheel using setuptools +import os +if os.getenv("USE_SETUPTOOLS") == "yes": from setuptools import setup -except ImportError: +else: from distutils.core import setup if sys.argv[-1] == 'publish': debian/patches/CVE-2018-18074.patch0000664000000000000000000000602513357423676013351 0ustar Backported of: From 3331e2aecdbf575dd60abef4df79c52d78610a83 Mon Sep 17 00:00:00 2001 From: Bruce Merry Date: Thu, 28 Jun 2018 16:38:42 +0200 Subject: [PATCH 1/2] Strip Authorization header whenever root URL changes Previously the header was stripped only if the hostname changed, but in an https -> http redirect that can leak the credentials on the wire (#4716). Based on with RFC 7235 section 2.2, the header is now stripped if the "canonical root URL" (scheme+authority) has changed, by checking scheme, hostname and port. From 857e9b7ac20c3accf4cc328f594aecb8b6a644a6 Mon Sep 17 00:00:00 2001 From: Bruce Merry Date: Tue, 14 Aug 2018 13:30:43 +0200 Subject: [PATCH 2/2] Rework authorization stripping logic as discussed The exception for http->https upgrade now requires the standard HTTP(S) ports to be used, either implicitly (no port specified) or explicitly. diff --git a/requests/sessions.py b/requests/sessions.py index 6c08be8..96f7330 100644 --- a/requests/sessions.py +++ b/requests/sessions.py @@ -87,6 +87,22 @@ def merge_hooks(request_hooks, session_hooks, dict_class=OrderedDict): class SessionRedirectMixin(object): + def should_strip_auth(self, old_url, new_url): + """Decide whether Authorization header should be removed when redirecting""" + old_parsed = urlparse(old_url) + new_parsed = urlparse(new_url) + if old_parsed.hostname != new_parsed.hostname: + return True + # Special case: allow http -> https redirect when using the standard + # ports. This isn't specified by RFC 7235, but is kept to avoid + # breaking backwards compatibility with older versions of requests + # that allowed any redirects on the same host. + if (old_parsed.scheme == 'http' and old_parsed.port in (80, None) + and new_parsed.scheme == 'https' and new_parsed.port in (443, None)): + return False + # Standard case: root URI must match + return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme + def resolve_redirects(self, resp, req, stream=False, timeout=None, verify=True, cert=None, proxies=None): """Receives a Response. Returns a generator of Responses.""" @@ -192,14 +208,10 @@ class SessionRedirectMixin(object): headers = prepared_request.headers url = prepared_request.url - if 'Authorization' in headers: + if 'Authorization' in headers and self.should_strip_auth(response.request.url, url): # If we get redirected to a new host, we should strip out any # authentication headers. - original_parsed = urlparse(response.request.url) - redirect_parsed = urlparse(url) - - if (original_parsed.hostname != redirect_parsed.hostname): - del headers['Authorization'] + del headers['Authorization'] # .netrc might have more auth for us on our new host. new_auth = get_netrc_auth(url) if self.trust_env else None debian/control0000664000000000000000000000660412502136200010570 0ustar Source: requests Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Python Modules Team Uploaders: Daniele Tricoli Section: python Priority: optional Build-Depends: debhelper (>= 9), dh-python, python-all (>= 2.6.6-3), python-chardet, python-urllib3 (>= 1.7.1), python-setuptools, python3-all, python3-chardet, python3-urllib3 (>= 1.7.1), python3-setuptools, python3-wheel Standards-Version: 3.9.5 X-Python-Version: >= 2.7 X-Python3-Version: >= 3.0 Homepage: http://python-requests.org Vcs-Svn: svn://anonscm.debian.org/python-modules/packages/requests/trunk/ Vcs-Browser: http://anonscm.debian.org/viewvc/python-modules/packages/requests/trunk/ Package: python-requests Architecture: all Depends: ${misc:Depends}, ${python:Depends}, ca-certificates, python-chardet, python-urllib3 (>= 1.7.1), Description: elegant and simple HTTP library for Python, built for human beings Requests allow you to send HTTP/1.1 requests. You can add headers, form data, multipart files, and parameters with simple Python dictionaries, and access the response data in the same way. It's powered by httplib and urllib3, but it does all the hard work and crazy hacks for you. . Features . - International Domains and URLs - Keep-Alive & Connection Pooling - Sessions with Cookie Persistence - Browser-style SSL Verification - Basic/Digest Authentication - Elegant Key/Value Cookies - Automatic Decompression - Unicode Response Bodies - Multipart File Uploads - Connection Timeouts Package: python3-requests Architecture: all Depends: ${misc:Depends}, ${python3:Depends}, ca-certificates, python3-chardet, python3-urllib3 (>= 1.5) Description: elegant and simple HTTP library for Python3, built for human beings Requests allow you to send HTTP/1.1 requests. You can add headers, form data, multipart files, and parameters with simple Python dictionaries, and access the response data in the same way. It's powered by httplib and urllib3, but it does all the hard work and crazy hacks for you. . Features . - International Domains and URLs - Keep-Alive & Connection Pooling - Sessions with Cookie Persistence - Browser-style SSL Verification - Basic/Digest Authentication - Elegant Key/Value Cookies - Automatic Decompression - Unicode Response Bodies - Multipart File Uploads - Connection Timeouts . This package contains the Python 3 version of the library. Package: python-requests-whl Architecture: all Depends: ca-certificates, python-urllib3-whl, ${misc:Depends}, ${python3:Depends} Description: elegant and simple HTTP library for Python, built for human beings Requests allow you to send HTTP/1.1 requests. You can add headers, form data, multipart files, and parameters with simple Python dictionaries, and access the response data in the same way. It's powered by httplib and urllib3, but it does all the hard work and crazy hacks for you. . Features . - International Domains and URLs - Keep-Alive & Connection Pooling - Sessions with Cookie Persistence - Browser-style SSL Verification - Basic/Digest Authentication - Elegant Key/Value Cookies - Automatic Decompression - Unicode Response Bodies - Multipart File Uploads - Connection Timeouts . This package provides the universal wheel. debian/python-requests-whl.install0000664000000000000000000000003012502136266014536 0ustar usr/share/python-wheels debian/changelog0000664000000000000000000002070013357424155011052 0ustar requests (2.2.1-1ubuntu0.4) trusty-security; urgency=medium * SECURITY UPDATE: Creadentials through HTTP Authorization header - debian/patches/CVE-2018-18074.patch: fix in requests/sessions.py. - CVE-2018-18074 -- Leonidas S. Barbosa Wed, 10 Oct 2018 13:24:54 -0300 requests (2.2.1-1ubuntu0.3) trusty-proposed; urgency=medium * SRU, update python3.4 for trusty. LP: #1433324. * Build a -whl package (setuptools is needed to build the wheel package). -- Matthias Klose Tue, 17 Mar 2015 23:40:09 +0100 requests (2.2.1-1ubuntu0.2) trusty-security; urgency=medium * SECURITY UPDATE: Session fixation and cookie stealing issue (LP: #1432555). - debian/patches/CVE-2015-2296.patch: extract cookies from the original request (which still has the host which returned the cookies) - CVE-2015-2296 -- Daniel Watkins Mon, 16 Mar 2015 10:11:03 +0000 requests (2.2.1-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Authorization header disclosure on redirect - debian/patches/CVE-2014-1829.patch: if redirected, strip authentication header in requests/sessions.py, add should_bypass_proxies() to requests/utils.py. - CVE-2014-1829 * SECURITY UPDATE: Proxy-Authorization header disclosure on redirect - debian/patches/CVE-2014-1830.patch: also strip proxy headers in requests/sessions.py, added test to test_requests.py. - CVE-2014-1830 -- Marc Deslauriers Tue, 30 Sep 2014 16:13:52 -0400 requests (2.2.1-1) unstable; urgency=medium * New upstream release * debian/control - Bumped Standards-Version to 3.9.5 (no changes needed) * debian/copyright - Updated copyright years * debian/patches/02_use-system-chardet-and-urllib3.patches - Refreshed -- Daniele Tricoli Mon, 27 Jan 2014 04:58:17 +0100 requests (2.0.0-1) unstable; urgency=low * New upstream release (Closes: #725784) * Switched to pybuild * debian/clean - Switched to debian/clean for cleaning instead of using debian/rules * debian/control - Bumped python(3)-urllib3 to (>=1.7.1) * debian/copyright - Updated copyright year * debian/patches/02_use-system-chardet-and-urllib3.patches - Refreshed * debian/watch - Switched download URL to https -- Daniele Tricoli Fri, 18 Oct 2013 19:20:21 +0200 requests (1.2.3-1) unstable; urgency=low * New upstream release (Closes: #712915) (LP: #1187429) - Thanks to Scott Moser for the report * debian/compat - Bumped debhelper compatibility level to 9 * debian/control - Bumped debhelper B-D to (>= 9) - Temporarily bumped X-Python-Version to >= 2.7 to prevent FTBFS due to lack of python-urllib3 for Python 2.6 * debian/patches/02_use-system-chardet-and-urllib3.patches - Refreshed -- Daniele Tricoli Fri, 21 Jun 2013 08:52:39 +0200 requests (1.2.0-2) unstable; urgency=low * Uploading to unstable. * rm -rf requests.egg-info on clean so the package can be built twice. -- Thomas Goirand Sat, 11 May 2013 05:15:04 +0000 requests (1.2.0-1) experimental; urgency=low * New upstream version. * Refreshed both debian-specific patches. -- Thomas Goirand Thu, 25 Apr 2013 22:56:42 +0000 requests (1.1.0-1) experimental; urgency=low * New upstream release (Closes: #692602) - Thanks to Barry Warsaw for report * debian/control - Added python-chardet, python3-chardet to Build-Depends and moved them from Recommends to Depends since chardet is now required - Added python(3)-urllib3 (>= 1.5) to Build-Depends and Depends since the embedded copy is no more a fork - Removed python(3)-six since python(3)-urllib3 is not embedded anymore - Removed python-gevent and python-oauthlib from Recommends since upstream is not using them anymore - Bumped Standards-Version to 3.9.4 (no changes needed) - Fixed lintian vcs-field-not-canonical * debian/copyright - Updated to reflect upstream switch to Apache 2.0 and updated copyright years * debian/patches/01_do-not-use-python-certifi.patch - Removed because no longer necessary * debian/patches/02_do-not-use-embedded-python-six.patch - Removed because no longer necessary * debian/patches/01_use-system-ca-certificates.patch - Use the bundle provided by ca-certificates instead of the embedded one * debian/patches/02_use-system-chardet-and-urllib3.patches - Use the system python-chardet and python-urllib3 instead of the embedded copies -- Daniele Tricoli Sun, 20 Jan 2013 23:03:45 +0100 requests (0.12.1-1) unstable; urgency=low * New upstream release * debian/control - Added python-oauthlib to python-requests' Recommends field * debian/patches/01_do-not-use-python-certifi.patch - Refreshed -- Daniele Tricoli Fri, 04 May 2012 14:34:47 +0200 requests (0.11.2-1) unstable; urgency=low * New upstream release * debian/patches/01_do-not-use-python-certifi.patch - Refreshed -- Daniele Tricoli Mon, 23 Apr 2012 16:06:33 +0200 requests (0.11.1-1) unstable; urgency=low * New upstream release * debian/control - Added python3-chardet to python3-requests' Recommends field - Updated Description field * debian/patches/02_do-not-use-embedded-python-six.patch - Refreshed -- Daniele Tricoli Sun, 01 Apr 2012 12:33:42 +0200 requests (0.10.8-1) unstable; urgency=low [ Piotr Ożarowski ] * Fix typo in python3-requests' ${python3:Depends} [ Daniele Tricoli ] * New upstream release (Closes: #663561) * Removed embedded copy of python-six - Added debian/patches/02_do-not-use-embedded-python-six.patch - Added override_dh_auto_configure to debian/rules to remove the embedded copy - Added python(3)-six to Builds-Depends and Depends * debian/control - Bumped Standards-Version to 3.9.3 (no changes needed) * debian/copyright - Added forgotten stanzas about packages inside the fork of python-urllib3 * debian/patches/01_do-not-use-python-certifi.patch - Refreshed * debian/patches/02_fix-python3-except-sintax-error.patch - Removed as it is applied upstream -- Daniele Tricoli Mon, 19 Mar 2012 01:20:59 +0100 requests (0.10.1-1) unstable; urgency=low * New upstream release - Adds Python 3 support * Builded python 3 package * debian/control - Added python-chardet to Recommends - Bumped X-Python-Version >= 2.6 - Added ca-certificates to Depends - Added python3-all to Build-Depends * debian/copyright - Updated Format URI - Updated copyright years * debian/patches/01_do-not-use-python-certifi.patch - To verify SSL certificates for HTTPS requests, use the bundle provided by ca-certificates instead of python-certifi * debian/patches/02_fix-python3-except-sintax-error.patches - Fix SyntaxError on Python3 because "except Error, e" is not supported anymore * debian/rules - Added override_dh_auto_clean to make the package build twice in a row -- Daniele Tricoli Sun, 05 Feb 2012 04:51:38 +0100 requests (0.8.2-1) unstable; urgency=low * New upstream release * debian/watch - Removed "debian uupdate" options * debian/{copyright,README.source} - Updated to reflect upstream changes: switched from poster to urllib3 - Added a stanza about the embedded modified copy of the standard module Cookie -- Daniele Tricoli Fri, 25 Nov 2011 00:02:28 +0100 requests (0.6.4-1) unstable; urgency=low * New upstream release * debian/control - Dropped python-eventlet from Depends field because it's not used anymore - Moved python-gevent from Depends field to Recommends field so python-requests can be installed also in ia64 and sparc -- Daniele Tricoli Wed, 19 Oct 2011 20:49:39 +0200 requests (0.6.1-1) unstable; urgency=low * New upstream release -- Daniele Tricoli Tue, 23 Aug 2011 02:00:41 +0200 requests (0.5.0-1) unstable; urgency=low * New upstream release * debian/control - Updated description to mention proxy support -- Daniele Tricoli Sun, 26 Jun 2011 07:12:03 +0200 requests (0.4.1-1) unstable; urgency=low * Initial release (Closes: #629370) -- Daniele Tricoli Mon, 06 Jun 2011 02:11:15 +0200 debian/rules0000775000000000000000000000051412502136414010246 0ustar #!/usr/bin/make -f export PYBUILD_NAME=requests %: dh $@ --with python2,python3 --buildsystem=pybuild override_dh_installchangelogs: dh_installchangelogs HISTORY.rst override_dh_auto_install: dh_auto_install USE_SETUPTOOLS=yes python3 setup.py bdist_wheel \ --universal \ -d $(CURDIR)/debian/tmp/usr/share/python-wheels debian/copyright0000664000000000000000000001250512272023754011132 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: requests Upstream-Contact: Kenneth Reitz Source: http://pypi.python.org/pypi/requests Files: * Copyright: 2011-2014, Kenneth Reitz License: Apache Files: requests/packages/urllib3/* Copyright: 2008-2013, Andrey Petrov License: Expat Files: requests/packages/urllib3/packages/ordered_dict.py Copyright: 2009, Raymond Hettinger License: Expat Files: requests/packages/urllib3/packages/ssl_match_hostname/__init__.py Copyright: 2011, Python Software Foundation License: PSF-2 Files: requests/packages/urllib3/packages/six.py Copyright: 2010-2011, Benjamin Peterson License: Expat Files: requests/packages/chardet/* Copyright: 2006-2008, Mark Pilgrim 2012-2013, Ian Cordasco License: LGPL-2.1+ Files: requests/cacert.pem Copyright: 2013, Mozilla License: LGPL-2.1+ Files: debian/* Copyright: 2011-2014, Daniele Tricoli License: Apache License: Apache Licensed under the Apache License, Version 2.0 (the "License"); you may not use this software except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the full text of the Apache License, Version 2.0 can be found in the file `/usr/share/common-licenses/Apache-2.0'. License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License: PSF-2 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. . 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. . 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. . 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. . 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. . 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. . 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. . 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. License: LGPL-2.1+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. . See /usr/share/common-licenses/LGPL-2.1 for the full license text.