.github/workflows/ci.yml

@@ -32,7 +32,7 @@ jobs:
       fail-fast: false
       matrix:
         python-version: ["2.7", "3.6", "3.7", "3.8", "3.9", "3.10"]
-        os: [macos-latest, windows-latest, ubuntu-latest]
+        os: [macos-11, windows-latest, ubuntu-latest]
         experimental: [false]
         nox-session: ['']
         include:
@@ -62,7 +62,7 @@ jobs:
             nox-session: test-3.11
 
     runs-on: ${{ matrix.os }}
-    name: ${{ fromJson('{"macos-latest":"macOS","windows-latest":"Windows","ubuntu-latest":"Ubuntu"}')[matrix.os] }} ${{ matrix.python-version }} ${{ matrix.nox-session}}
+    name: ${{ fromJson('{"macos-11":"macOS","windows-latest":"Windows","ubuntu-latest":"Ubuntu"}')[matrix.os] }} ${{ matrix.python-version }} ${{ matrix.nox-session}}
     continue-on-error: ${{ matrix.experimental }}
     steps:
       - name: Checkout Repository

.github/workflows/publish.yml

@@ -21,10 +21,10 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b"
+        uses: "actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8"
 
       - name: "Setup Python"
-        uses: "actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5"
+        uses: "actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984"
         with:
           python-version: "3.x"
 
@@ -42,7 +42,7 @@ jobs:
           cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"
 
       - name: "Upload dists"
-        uses: "actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8"
+        uses: "actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb"
         with:
           name: "dist"
           path: "dist/"
@@ -55,21 +55,24 @@ jobs:
       actions: read
       contents: write
       id-token: write
-    uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0"
+    uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1"
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       attestation-name: "urllib3.intoto.jsonl"
       upload-assets: true
+      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
 
   publish:
     name: "Publish"
     if: startsWith(github.ref, 'refs/tags/')
     needs: ["build", "provenance"]
+    permissions:
+      contents: write
     runs-on: "ubuntu-latest"
 
     steps:
     - name: "Download dists"
-      uses: "actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741"
+      uses: "actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7"
       with:
         name: "dist"
         path: "dist/"

CHANGES.rst

@@ -1,6 +1,16 @@
 Changes
 =======
 
+1.26.13 (2022-11-23)
+--------------------
+
+* Deprecated the ``HTTPResponse.getheaders()`` and ``HTTPResponse.getheader()`` methods.
+* Fixed an issue where parsing a URL with leading zeroes in the port would be rejected
+  even when the port number after removing the zeroes was valid.
+* Fixed a deprecation warning when using cryptography v39.0.0.
+* Removed the ``<4`` in the ``Requires-Python`` packaging metadata field.
+
+
 1.26.12 (2022-08-22)
 --------------------
 

README.rst

@@ -2,7 +2,7 @@
 
    <p align="center">
       <a href="https://github.com/urllib3/urllib3">
-         <img src="./docs/images/banner.svg" width="60%" alt="urllib3" />
+         <img src="./docs/_static/banner.svg" width="60%" alt="urllib3" />
       </a>
    </p>
    <p align="center">

dev-requirements.txt

@@ -12,7 +12,7 @@ pytest-freezegun==0.4.2
 flaky==3.7.0
 trustme==0.7.0
 cryptography==3.2.1;python_version<"3.6"
-cryptography==3.4.7;python_version>="3.6"
+cryptography==38.0.3;python_version>="3.6"
 python-dateutil==2.8.1
 
 # https://github.com/GrahamDumpleton/wrapt/issues/189

setup.py

@@ -82,7 +82,7 @@
     ],
     package_dir={"": "src"},
     requires=[],
-    python_requires=">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*, <4",
+    python_requires=">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*",
     extras_require={
         "brotli": [
             "brotli>=1.0.9; (os_name != 'nt' or python_version >= '3') and platform_python_implementation == 'CPython'",

src/urllib3/_version.py

@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.12"
+__version__ = "1.26.13"

src/urllib3/connectionpool.py

@@ -862,7 +862,7 @@ def _is_ssl_error_message_from_http_proxy(ssl_error):
             )
 
         # Check if we should retry the HTTP response.
-        has_retry_after = bool(response.getheader("Retry-After"))
+        has_retry_after = bool(response.headers.get("Retry-After"))
         if retries.is_retry(method, response.status, has_retry_after):
             try:
                 retries = retries.increment(method, url, response=response, _pool=self)

src/urllib3/contrib/pyopenssl.py

@@ -47,10 +47,10 @@
 """
 from __future__ import absolute_import
 
+import OpenSSL.crypto
 import OpenSSL.SSL
 from cryptography import x509
 from cryptography.hazmat.backends.openssl import backend as openssl_backend
-from cryptography.hazmat.backends.openssl.x509 import _Certificate
 
 try:
     from cryptography.x509 import UnsupportedExtension
@@ -228,9 +228,8 @@ def get_subj_alt_name(peer_cert):
     if hasattr(peer_cert, "to_cryptography"):
         cert = peer_cert.to_cryptography()
     else:
-        # This is technically using private APIs, but should work across all
-        # relevant versions before PyOpenSSL got a proper API for this.
-        cert = _Certificate(openssl_backend, peer_cert._x509)
+        der = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, peer_cert)
+        cert = x509.load_der_x509_certificate(der, openssl_backend)
 
     # We want to find the SAN extension. Ask Cryptography to locate it (it's
     # faster than looping in Python)

src/urllib3/response.py

@@ -3,6 +3,7 @@
 import io
 import logging
 import sys
+import warnings
 import zlib
 from contextlib import contextmanager
 from socket import error as SocketError
@@ -663,9 +664,21 @@ def from_httplib(ResponseCls, r, **response_kw):
 
     # Backwards-compatibility methods for http.client.HTTPResponse
     def getheaders(self):
+        warnings.warn(
+            "HTTPResponse.getheaders() is deprecated and will be removed "
+            "in urllib3 v2.1.0. Instead access HTTResponse.headers directly.",
+            category=DeprecationWarning,
+            stacklevel=2,
+        )
         return self.headers
 
     def getheader(self, name, default=None):
+        warnings.warn(
+            "HTTPResponse.getheader() is deprecated and will be removed "
+            "in urllib3 v2.1.0. Instead use HTTResponse.headers.get(name, default).",
+            category=DeprecationWarning,
+            stacklevel=2,
+        )
         return self.headers.get(name, default)
 
     # Backwards compatibility for http.cookiejar

src/urllib3/util/retry.py

@@ -394,7 +394,7 @@ def parse_retry_after(self, retry_after):
     def get_retry_after(self, response):
         """Get the value of Retry-After in seconds."""
 
-        retry_after = response.getheader("Retry-After")
+        retry_after = response.headers.get("Retry-After")
 
         if retry_after is None:
             return None

src/urllib3/util/url.py

@@ -63,7 +63,7 @@
 BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
 ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
 
-_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::0*([0-9]{0,5}))?$") % (
     REG_NAME_PAT,
     IPV4_PAT,
     IPV6_ADDRZ_PAT,

test/test_response.py

@@ -13,6 +13,7 @@
 import pytest
 import six
 
+from urllib3._collections import HTTPHeaderDict
 from urllib3.exceptions import (
     DecodeError,
     IncompleteRead,
@@ -57,12 +58,20 @@ class TestLegacyResponse(object):
     def test_getheaders(self):
         headers = {"host": "example.com"}
         r = HTTPResponse(headers=headers)
-        assert r.getheaders() == headers
+        with pytest.warns(
+            DeprecationWarning,
+            match=r"HTTPResponse.getheaders\(\) is deprecated",
+        ):
+            assert r.getheaders() == HTTPHeaderDict(headers)
 
     def test_getheader(self):
         headers = {"host": "example.com"}
         r = HTTPResponse(headers=headers)
-        assert r.getheader("host") == "example.com"
+        with pytest.warns(
+            DeprecationWarning,
+            match=r"HTTPResponse.getheader\(\) is deprecated",
+        ):
+            assert r.getheader("host") == "example.com"
 
 
 class TestResponse(object):

test/test_util.py

@@ -347,6 +347,10 @@ def test_parse_url_negative_port(self):
         with pytest.raises(LocationParseError):
             parse_url("https://www.google.com:-80/")
 
+    def test_parse_url_remove_leading_zeros(self):
+        url = parse_url("https://example.com:0000000000080")
+        assert url.port == 80
+
     def test_Url_str(self):
         U = Url("http", host="google.com")
         assert str(U) == U.url