Merge pull request #9760 from hroncok/CVE-2021-28363

Update urllib3 to 1.26.4 to fix CVE-2021-28363

Author: pradyunsg

news/CVE-2021-28363.vendor.rst

@@ -0,0 +1 @@
+Update urllib3 to 1.26.4 to fix CVE-2021-28363

src/pip/_vendor/urllib3/_version.py

@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.2"
+__version__ = "1.26.4"

src/pip/_vendor/urllib3/connection.py

@@ -67,7 +67,7 @@ class BrokenPipeError(Exception):
 
 # When it comes time to update this value as a part of regular maintenance
 # (ie test_recent_date is failing) update it to ~6 months before the current date.
-RECENT_DATE = datetime.date(2019, 1, 1)
+RECENT_DATE = datetime.date(2020, 7, 1)
 
 _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
 
@@ -215,7 +215,7 @@ def putrequest(self, method, url, *args, **kwargs):
 
     def putheader(self, header, *values):
         """"""
-        if SKIP_HEADER not in values:
+        if not any(isinstance(v, str) and v == SKIP_HEADER for v in values):
             _HTTPConnection.putheader(self, header, *values)
         elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS:
             raise ValueError(
@@ -490,6 +490,10 @@ def _connect_tls_proxy(self, hostname, conn):
             self.ca_cert_dir,
             self.ca_cert_data,
         )
+        # By default urllib3's SSLContext disables `check_hostname` and uses
+        # a custom check. For proxies we're good with relying on the default
+        # verification.
+        ssl_context.check_hostname = True
 
         # If no cert was provided, use only the default options for server
         # certificate validation

src/pip/_vendor/urllib3/exceptions.py

@@ -289,7 +289,17 @@ class ProxySchemeUnknown(AssertionError, URLSchemeUnknown):
     # TODO(t-8ch): Stop inheriting from AssertionError in v2.0.
 
     def __init__(self, scheme):
-        message = "Not supported proxy scheme %s" % scheme
+        # 'localhost' is here because our URL parser parses
+        # localhost:8080 -> scheme=localhost, remove if we fix this.
+        if scheme == "localhost":
+            scheme = None
+        if scheme is None:
+            message = "Proxy URL had no scheme, should start with http:// or https://"
+        else:
+            message = (
+                "Proxy URL had unsupported scheme %s, should use http:// or https://"
+                % scheme
+            )
         super(ProxySchemeUnknown, self).__init__(message)
 
 

src/pip/_vendor/urllib3/util/retry.py

@@ -253,6 +253,7 @@ def __init__(
                 "Using 'method_whitelist' with Retry is deprecated and "
                 "will be removed in v2.0. Use 'allowed_methods' instead",
                 DeprecationWarning,
+                stacklevel=2,
             )
             allowed_methods = method_whitelist
         if allowed_methods is _Default:

src/pip/_vendor/vendor.txt

@@ -13,7 +13,7 @@ requests==2.25.1
     certifi==2020.12.05
     chardet==4.0.0
     idna==2.10
-    urllib3==1.26.2
+    urllib3==1.26.4
 resolvelib==0.5.4
 retrying==1.3.3
 setuptools==44.0.0