Maj pip

2023-06-01 08:59:37 +02:00
parent 1fe8228d1b
commit 796746d175
346 changed files with 18799 additions and 44645 deletions
--- a/venv/Lib/site-packages/pip/_vendor/urllib3/connection.py
+++ b/venv/Lib/site-packages/pip/_vendor/urllib3/connection.py
@@ -51,15 +51,16 @@ from .exceptions import (
    SubjectAltNameWarning,
    SystemTimeWarning,
 )
-from .packages.ssl_match_hostname import CertificateError, match_hostname
 from .util import SKIP_HEADER, SKIPPABLE_HEADERS, connection
 from .util.ssl_ import (
    assert_fingerprint,
    create_urllib3_context,
+    is_ipaddress,
    resolve_cert_reqs,
    resolve_ssl_version,
    ssl_wrap_socket,
 )
+from .util.ssl_match_hostname import CertificateError, match_hostname

 log = logging.getLogger(__name__)

@@ -67,7 +68,7 @@ port_by_scheme = {"http": 80, "https": 443}

 # When it comes time to update this value as a part of regular maintenance
 # (ie test_recent_date is failing) update it to ~6 months before the current date.
-RECENT_DATE = datetime.date(2020, 7, 1)
+RECENT_DATE = datetime.date(2022, 1, 1)

 _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")

@@ -107,6 +108,10 @@ class HTTPConnection(_HTTPConnection, object):
    #: Whether this connection verifies the host's certificate.
    is_verified = False

+    #: Whether this proxy connection (if used) verifies the proxy host's
+    #: certificate.
+    proxy_is_verified = None
+
    def __init__(self, *args, **kw):
        if not six.PY2:
            kw.pop("strict", None)
@@ -224,6 +229,11 @@ class HTTPConnection(_HTTPConnection, object):
            )

    def request(self, method, url, body=None, headers=None):
+        # Update the inner socket's timeout value to send the request.
+        # This only triggers if the connection is re-used.
+        if getattr(self, "sock", None) is not None:
+            self.sock.settimeout(self.timeout)
+
        if headers is None:
            headers = {}
        else:
@@ -350,17 +360,15 @@ class HTTPSConnection(HTTPConnection):

    def connect(self):
        # Add certificate verification
-        conn = self._new_conn()
+        self.sock = conn = self._new_conn()
        hostname = self.host
        tls_in_tls = False

        if self._is_using_tunnel():
            if self.tls_in_tls_required:
-                conn = self._connect_tls_proxy(hostname, conn)
+                self.sock = conn = self._connect_tls_proxy(hostname, conn)
                tls_in_tls = True

-            self.sock = conn
-
            # Calls self._set_hostport(), so self.host is
            # self._tunnel_host below.
            self._tunnel()
@@ -490,14 +498,10 @@ class HTTPSConnection(HTTPConnection):
            self.ca_cert_dir,
            self.ca_cert_data,
        )
-        # By default urllib3's SSLContext disables `check_hostname` and uses
-        # a custom check. For proxies we're good with relying on the default
-        # verification.
-        ssl_context.check_hostname = True

        # If no cert was provided, use only the default options for server
        # certificate validation
-        return ssl_wrap_socket(
+        socket = ssl_wrap_socket(
            sock=conn,
            ca_certs=self.ca_certs,
            ca_cert_dir=self.ca_cert_dir,
@@ -506,8 +510,37 @@ class HTTPSConnection(HTTPConnection):
            ssl_context=ssl_context,
        )

+        if ssl_context.verify_mode != ssl.CERT_NONE and not getattr(
+            ssl_context, "check_hostname", False
+        ):
+            # While urllib3 attempts to always turn off hostname matching from
+            # the TLS library, this cannot always be done. So we check whether
+            # the TLS Library still thinks it's matching hostnames.
+            cert = socket.getpeercert()
+            if not cert.get("subjectAltName", ()):
+                warnings.warn(
+                    (
+                        "Certificate for {0} has no `subjectAltName`, falling back to check for a "
+                        "`commonName` for now. This feature is being removed by major browsers and "
+                        "deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 "
+                        "for details.)".format(hostname)
+                    ),
+                    SubjectAltNameWarning,
+                )
+            _match_hostname(cert, hostname)
+
+        self.proxy_is_verified = ssl_context.verify_mode == ssl.CERT_REQUIRED
+        return socket
+

 def _match_hostname(cert, asserted_hostname):
+    # Our upstream implementation of ssl.match_hostname()
+    # only applies this normalization to IP addresses so it doesn't
+    # match DNS SANs so we do the same thing!
+    stripped_hostname = asserted_hostname.strip("u[]")
+    if is_ipaddress(stripped_hostname):
+        asserted_hostname = stripped_hostname
+
    try:
        match_hostname(cert, asserted_hostname)
    except CertificateError as e: