Upgrade urllib3 to 1.26.7

pradyunsg · pradyunsg · commit df318152ec7b · 2021-10-03T14:19:37.000+01:00
diff --git a/news/urllib3.vendor.rst b/news/urllib3.vendor.rst
@@ -0,0 +1 @@
+Upgrade urllib3 to 1.26.7
diff --git a/src/pip/_vendor/urllib3/_version.py b/src/pip/_vendor/urllib3/_version.py
@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.6"
+__version__ = "1.26.7"
diff --git a/src/pip/_vendor/urllib3/connection.py b/src/pip/_vendor/urllib3/connection.py
@@ -56,6 +56,7 @@ class BrokenPipeError(Exception):
 from .util.ssl_ import (
     assert_fingerprint,
     create_urllib3_context,
+    is_ipaddress,
     resolve_cert_reqs,
     resolve_ssl_version,
     ssl_wrap_socket,
@@ -107,6 +108,10 @@ class HTTPConnection(_HTTPConnection, object):
     #: Whether this connection verifies the host's certificate.
     is_verified = False
 
+    #: Whether this proxy connection (if used) verifies the proxy host's
+    #: certificate.
+    proxy_is_verified = None
+
     def __init__(self, *args, **kw):
         if not six.PY2:
             kw.pop("strict", None)
@@ -490,14 +495,10 @@ def _connect_tls_proxy(self, hostname, conn):
             self.ca_cert_dir,
             self.ca_cert_data,
         )
-        # By default urllib3's SSLContext disables `check_hostname` and uses
-        # a custom check. For proxies we're good with relying on the default
-        # verification.
-        ssl_context.check_hostname = True
 
         # If no cert was provided, use only the default options for server
         # certificate validation
-        return ssl_wrap_socket(
+        socket = ssl_wrap_socket(
             sock=conn,
             ca_certs=self.ca_certs,
             ca_cert_dir=self.ca_cert_dir,
@@ -506,8 +507,37 @@ def _connect_tls_proxy(self, hostname, conn):
             ssl_context=ssl_context,
         )
 
+        if ssl_context.verify_mode != ssl.CERT_NONE and not getattr(
+            ssl_context, "check_hostname", False
+        ):
+            # While urllib3 attempts to always turn off hostname matching from
+            # the TLS library, this cannot always be done. So we check whether
+            # the TLS Library still thinks it's matching hostnames.
+            cert = socket.getpeercert()
+            if not cert.get("subjectAltName", ()):
+                warnings.warn(
+                    (
+                        "Certificate for {0} has no `subjectAltName`, falling back to check for a "
+                        "`commonName` for now. This feature is being removed by major browsers and "
+                        "deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 "
+                        "for details.)".format(hostname)
+                    ),
+                    SubjectAltNameWarning,
+                )
+            _match_hostname(cert, hostname)
+
+        self.proxy_is_verified = ssl_context.verify_mode == ssl.CERT_REQUIRED
+        return socket
+
 
 def _match_hostname(cert, asserted_hostname):
+    # Our upstream implementation of ssl.match_hostname()
+    # only applies this normalization to IP addresses so it doesn't
+    # match DNS SANs so we do the same thing!
+    stripped_hostname = asserted_hostname.strip("u[]")
+    if is_ipaddress(stripped_hostname):
+        asserted_hostname = stripped_hostname
+
     try:
         match_hostname(cert, asserted_hostname)
     except CertificateError as e:
diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
@@ -1020,6 +1020,17 @@ def _validate_conn(self, conn):
                 InsecureRequestWarning,
             )
 
+        if getattr(conn, "proxy_is_verified", None) is False:
+            warnings.warn(
+                (
+                    "Unverified HTTPS connection done to an HTTPS proxy. "
+                    "Adding certificate verification is strongly advised. See: "
+                    "https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html"
+                    "#ssl-warnings"
+                ),
+                InsecureRequestWarning,
+            )
+
 
 def connection_from_url(url, **kw):
     """
diff --git a/src/pip/_vendor/urllib3/contrib/_securetransport/low_level.py b/src/pip/_vendor/urllib3/contrib/_securetransport/low_level.py
@@ -188,6 +188,7 @@ def _cert_array_from_pem(pem_bundle):
         # We only want to do that if an error occurs: otherwise, the caller
         # should free.
         CoreFoundation.CFRelease(cert_array)
+        raise
 
     return cert_array
 
diff --git a/src/pip/_vendor/urllib3/util/proxy.py b/src/pip/_vendor/urllib3/util/proxy.py
@@ -45,6 +45,7 @@ def create_proxy_ssl_context(
         ssl_version=resolve_ssl_version(ssl_version),
         cert_reqs=resolve_cert_reqs(cert_reqs),
     )
+
     if (
         not ca_certs
         and not ca_cert_dir
diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
@@ -13,7 +13,7 @@ requests==2.26.0
     certifi==2021.05.30
     chardet==4.0.0
     idna==3.2
-    urllib3==1.26.6
+    urllib3==1.26.7
 resolvelib==0.7.1
 setuptools==44.0.0
 six==1.16.0

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`# This file is protected via CODEOWNERS`
`2`		`-__version__ = "1.26.6"`
	`2`	`+__version__ = "1.26.7"`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ def create_proxy_ssl_context(`
`45`	`45`	`ssl_version=resolve_ssl_version(ssl_version),`
`46`	`46`	`cert_reqs=resolve_cert_reqs(cert_reqs),`
`47`	`47`	`)`
	`48`	`+`
`48`	`49`	`if (`
`49`	`50`	`not ca_certs`
`50`	`51`	`and not ca_cert_dir`