From f2629e9e3c7ce3c3c8c025bcd8db551101cbc773 Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Fri, 28 Apr 2023 23:17:10 +0400
Subject: [PATCH 1/7] Remove strict parameter (#6434)

---
 requests/adapters.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/requests/adapters.py b/requests/adapters.py
index f13ae4e5e2..78e3bb6ecf 100644
--- a/requests/adapters.py
+++ b/requests/adapters.py
@@ -193,7 +193,6 @@ def init_poolmanager(
             num_pools=connections,
             maxsize=maxsize,
             block=block,
-            strict=True,
             **pool_kwargs,
         )
 

From 2ad18e0e10e7d7ecd5384c378f25ec8821a10a29 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Wed, 3 May 2023 08:39:44 -0700
Subject: [PATCH 2/7] v2.30.0

---
 HISTORY.md              | 12 ++++++++++++
 requests/__init__.py    |  8 ++++----
 requests/__version__.py |  4 ++--
 setup.py                |  2 +-
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/HISTORY.md b/HISTORY.md
index 0b7b39ca1f..177ce59fe0 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -6,6 +6,18 @@ dev
 
 - \[Short description of non-trivial change.\]
 
+2.30.0 (2023-05-03)
+-------------------
+
+**Dependencies**
+- ⚠️ Added support for urllib3 2.0. ⚠️
+
+  This may contain minor breaking changes so we advise careful testing and
+  reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
+  prior to upgrading.
+
+  Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.
+
 2.29.0 (2023-04-26)
 -------------------
 
diff --git a/requests/__init__.py b/requests/__init__.py
index 22db3c1d7c..300a16c574 100644
--- a/requests/__init__.py
+++ b/requests/__init__.py
@@ -66,10 +66,10 @@ def check_compatibility(urllib3_version, chardet_version, charset_normalizer_ver
     # Check urllib3 for compatibility.
     major, minor, patch = urllib3_version  # noqa: F811
     major, minor, patch = int(major), int(minor), int(patch)
-    # urllib3 >= 1.21.1, <= 1.26
-    assert major == 1
-    assert minor >= 21
-    assert minor <= 26
+    # urllib3 >= 1.21.1
+    assert major >= 1
+    if major == 1:
+        assert minor >= 21
 
     # Check charset_normalizer for compatibility.
     if chardet_version:
diff --git a/requests/__version__.py b/requests/__version__.py
index 4775ae32ed..e0f3373d0d 100644
--- a/requests/__version__.py
+++ b/requests/__version__.py
@@ -5,8 +5,8 @@
 __title__ = "requests"
 __description__ = "Python HTTP for Humans."
 __url__ = "https://requests.readthedocs.io"
-__version__ = "2.29.0"
-__build__ = 0x022900
+__version__ = "2.30.0"
+__build__ = 0x023000
 __author__ = "Kenneth Reitz"
 __author_email__ = "me@kennethreitz.org"
 __license__ = "Apache 2.0"
diff --git a/setup.py b/setup.py
index bf13369be0..323e4f886d 100755
--- a/setup.py
+++ b/setup.py
@@ -61,7 +61,7 @@ def run_tests(self):
 requires = [
     "charset_normalizer>=2,<4",
     "idna>=2.5,<4",
-    "urllib3>=1.21.1,<1.27",
+    "urllib3>=1.21.1,<3",
     "certifi>=2017.4.17",
 ]
 test_requirements = [

From d3d504436ef0c2ac7ec8af13738b04dcc8c694be Mon Sep 17 00:00:00 2001
From: Syed Saifullah <39564496+syed-saif@users.noreply.github.com>
Date: Tue, 9 May 2023 22:25:33 +0530
Subject: [PATCH 3/7] Fixed a small typo (#6452)

---
 HISTORY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HISTORY.md b/HISTORY.md
index 177ce59fe0..aaa05e2832 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -73,7 +73,7 @@ dev
   cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)
 - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with
   `requests.exceptions.SSLError` for `content` and `iter_content`. (#6057)
-- Fixed issue where invalid Windows registry entires caused proxy resolution
+- Fixed issue where invalid Windows registry entries caused proxy resolution
   to raise an exception rather than ignoring the entry. (#6149)
 - Fixed issue where entire payload could be included in the error message for
   JSONDecodeError. (#6036)

From b639e66c816514e40604d46f0088fbceec1a5149 Mon Sep 17 00:00:00 2001
From: Thomas Grainger <tagrain@gmail.com>
Date: Sat, 13 May 2023 15:10:56 +0100
Subject: [PATCH 4/7] test on py3.12 (#6448)

* test on py3.12

* update to pytest-httpbin==2.0.0
---
 .github/workflows/run-tests.yml | 2 +-
 requirements-dev.txt            | 2 +-
 setup.py                        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 71fb63e44d..677ae11477 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", "3.12-dev"]
         os: [ubuntu-22.04, macOS-latest, windows-latest]
         include:
           # pypy-3.7 on Mac OS currently fails trying to compile
diff --git a/requirements-dev.txt b/requirements-dev.txt
index e29f2474d2..d62637378e 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,7 +1,7 @@
 -e .[socks]
 pytest>=2.8.0,<=6.2.5
 pytest-cov
-pytest-httpbin==1.0.0
+pytest-httpbin==2.0.0
 pytest-mock==2.0.0
 httpbin==0.7.0
 trustme
diff --git a/setup.py b/setup.py
index 323e4f886d..012354574d 100755
--- a/setup.py
+++ b/setup.py
@@ -65,7 +65,7 @@ def run_tests(self):
     "certifi>=2017.4.17",
 ]
 test_requirements = [
-    "pytest-httpbin==0.0.7",
+    "pytest-httpbin==2.0.0",
     "pytest-cov",
     "pytest-mock",
     "pytest-xdist",

From 302225334678490ec66b3614a9dddb8a02c5f4fe Mon Sep 17 00:00:00 2001
From: Thomas Grainger <tagrain@gmail.com>
Date: Mon, 15 May 2023 16:04:21 +0100
Subject: [PATCH 5/7] test on pypy 3.8 and pypy 3.9 on windows and macos
 (#6424)

---
 .github/workflows/run-tests.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 677ae11477..c4159508e4 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -12,14 +12,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", "3.12-dev"]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", "3.12-dev", "pypy-3.8", "pypy-3.9"]
         os: [ubuntu-22.04, macOS-latest, windows-latest]
         include:
-          # pypy-3.7 on Mac OS currently fails trying to compile
-          # brotlipy. Moving pypy3 to only test linux.
+          # pypy-3.7 on Windows and Mac OS currently fails trying to compile
+          # cryptography. Moving pypy-3.7 to only test linux.
           - python-version: pypy-3.7
             os: ubuntu-latest
-            experimental: false
 
     steps:
     - uses: actions/checkout@v2

From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Mon, 22 May 2023 08:08:57 -0700
Subject: [PATCH 6/7] Merge pull request from GHSA-j8r2-6x86-q33q

---
 requests/sessions.py   |  4 +++-
 tests/test_requests.py | 20 ++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/requests/sessions.py b/requests/sessions.py
index 6cb3b4dae3..dbcf2a7b0e 100644
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies):
         except KeyError:
             username, password = None, None
 
-        if username and password:
+        # urllib3 handles proxy authorization for us in the standard adapter.
+        # Avoid appending this to TLS tunneled requests where it may be leaked.
+        if not scheme.startswith('https') and username and password:
             headers["Proxy-Authorization"] = _basic_auth_str(username, password)
 
         return new_proxies
diff --git a/tests/test_requests.py b/tests/test_requests.py
index b1c8dd4534..b420c44d73 100644
--- a/tests/test_requests.py
+++ b/tests/test_requests.py
@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin):
 
         assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
 
+
+    @pytest.mark.parametrize(
+        "url,has_proxy_auth",
+        (
+            ('http://example.com', True),
+            ('https://example.com', False),
+        ),
+    )
+    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
+        session = requests.Session()
+        proxies = {
+            'http': 'http://test:pass@localhost:8080',
+            'https': 'http://test:pass@localhost:8090',
+        }
+        req = requests.Request('GET', url)
+        prep = req.prepare()
+        session.rebuild_proxies(prep, proxies)
+
+        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
+
     def test_basicauth_with_netrc(self, httpbin):
         auth = ("user", "pass")
         wrong_auth = ("wronguser", "wrongpass")

From 147c8511ddbfa5e8f71bbf5c18ede0c4ceb3bba4 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Mon, 22 May 2023 08:10:32 -0700
Subject: [PATCH 7/7] v2.31.0

---
 HISTORY.md              | 27 +++++++++++++++++++++++++++
 requests/__version__.py |  4 ++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/HISTORY.md b/HISTORY.md
index aaa05e2832..bbe6dd425b 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -6,6 +6,33 @@ dev
 
 - \[Short description of non-trivial change.\]
 
+2.31.0 (2023-05-22)
+-------------------
+
+**Security**
+- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
+  forwarding of `Proxy-Authorization` headers to destination servers when
+  following HTTPS redirects.
+
+  When proxies are defined with user info (https://user:pass@proxy:8080), Requests
+  will construct a `Proxy-Authorization` header that is attached to the request to
+  authenticate with the proxy.
+
+  In cases where Requests receives a redirect response, it previously reattached
+  the `Proxy-Authorization` header incorrectly, resulting in the value being
+  sent through the tunneled connection to the destination server. Users who rely on
+  defining their proxy credentials in the URL are *strongly* encouraged to upgrade
+  to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
+  credentials once the change has been fully deployed.
+
+  Users who do not use a proxy or do not supply their proxy credentials through
+  the user information portion of their proxy URL are not subject to this
+  vulnerability.
+
+  Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
+  and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
+
+
 2.30.0 (2023-05-03)
 -------------------
 
diff --git a/requests/__version__.py b/requests/__version__.py
index e0f3373d0d..5063c3f8ee 100644
--- a/requests/__version__.py
+++ b/requests/__version__.py
@@ -5,8 +5,8 @@
 __title__ = "requests"
 __description__ = "Python HTTP for Humans."
 __url__ = "https://requests.readthedocs.io"
-__version__ = "2.30.0"
-__build__ = 0x023000
+__version__ = "2.31.0"
+__build__ = 0x023100
 __author__ = "Kenneth Reitz"
 __author_email__ = "me@kennethreitz.org"
 __license__ = "Apache 2.0"