util/ssl: make code resilient to missing hash functions #3434
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
illia-v
reviewed
Jul 31, 2024
There was a problem hiding this comment.
Thanks @shashankram!
Please format the code with nox -rs format and add a changelog entry
illia-v
reviewed
Jul 31, 2024
In certain environments such as in a FIPS enabled system, certain algorithms such as md5 may be unavailable. Due to the importing of such a module on a system where it is unavailable, urllib will crash and is unusable. This change makes the code more resilient by deferring the usage of the hash function module unless they are required. If the hash function is unavailable but required, an SSLError is raised indicating the same. If the hash function is unavailable but not required, urllib functions instead of crashing. Part of urllib3#3432
shashankram
force-pushed
the
handle-disabled-hashes
branch
from
7548913
to
b6e6014
Compare
|
@illia-v let me know if this looks good. I'll open a PR for 1.26.x next. |
illia-v
reviewed
Aug 1, 2024
Co-authored-by: Illia Volochii <[email protected]>
illia-v
approved these changes
Aug 2, 2024
There was a problem hiding this comment.
LGTM, thanks! @shashankram feel free to claim the $100 bounty from our OpenCollective
Ousret
added a commit
to jawah/urllib3.future
that referenced
this pull request
Aug 4, 2024
- Fixed wrong upgrade attempt to QUIC when using a SOCKS proxy. Any usage of a proxy disable HTTP/3 over QUIC as per documented. until proper support is implemented in a next minor version. - Backported upstream urllib3 urllib3#3434: util/ssl: make code resilient to missing hash functions. In certain environments such as in a FIPS enabled system, certain algorithms such as md5 may be unavailable. Due to the importing of such a module on a system where it is unavailable, urllib3(-future) will crash and is unusable. urllib3#3434 - Backported upstream urllib3 GHSA-34jh-p97f-mpxf: Strip Proxy-Authorization header on redirects. Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. - Fixed state-machine desync on a rare scenario when uploading a body using HTTP/3 over QUIC.
Ousret
added a commit
to jawah/urllib3.future
that referenced
this pull request
Aug 4, 2024
- Fixed wrong upgrade attempt to QUIC when using a SOCKS proxy. Any usage of a proxy disable HTTP/3 over QUIC as per documented. until proper support is implemented in a next minor version. - Backported upstream urllib3 urllib3#3434: util/ssl: make code resilient to missing hash functions. In certain environments such as in a FIPS enabled system, certain algorithms such as md5 may be unavailable. Due to the importing of such a module on a system where it is unavailable, urllib3(-future) will crash and is unusable. urllib3#3434 - Backported upstream urllib3 GHSA-34jh-p97f-mpxf: Strip Proxy-Authorization header on redirects. Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. - Fixed state-machine desync on a rare scenario when uploading a body using HTTP/3 over QUIC.
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In certain environments such as in a FIPS enabled system, certain algorithms such as md5 may be unavailable. Due to the importing of such a module on a system where it is unavailable, urllib will crash and is unusable.
This change makes the code more resilient by deferring the usage of the hash function module unless they are required. If the hash function is unavailable but required, an SSLError is raised indicating the same. If the hash function is unavailable but not required, urllib functions instead of crashing.
Part of #3432