Vendored urllib3

[jayvdb]

I see this is using a vendored urllib3, and quite an old one, branched off at PyPI version 1.25.6.

There are a few vulnerabilities since then.

https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-35569/Python-Urllib3.html

Are there critical changes in the vendored copy, which need to be retained? Have they been proposed to the main urllib3 project?
etc.

[Harmon758]

For reference, the reason there's a vendored version being used: #533, urllib3/urllib3#857.
It seems the upstream PR, urllib3/urllib3#1092, became stale and was closed.

[tsnoam]

Hi @jayvdb

First, thank you for bringing these CVEs to our attention.

We're using a vendored urllib3 because there was a bug in the upstream package causing connection creation problems on some extreme cases. For some reason this bug was quite common with Telegram bots.
We've managed to mitigate the problem, however we found it quite tricky or even impossible to recreate the bug in lab conditions. The upstream project refused to accept the fix without proper tests and we found ourselves forking the library.
Since then we've made a decision to only cherry-pick relevant fixes in the upstream urllib3 rather than trying to follow the upstream library. The main reason is to keep a stable backend for networking for our users.

To the subject in hand:
We've reviewed the relevant 3 CVEs:

• CVE-2018-20060 , CVE-2019-11236 - affect only users who's been hacking ptb to download files from the internet. This comes from the assumption that Telegram servers are safe to interact with. I would consider the impact of these CVEs low.
• CVE-2019-11324 - As the CVE suggests affects all users who use a non-default certificate store. I would dare to guess that it won't affect the majority of ptb users.

We'll investigate the option to cherry-pick the various fixes to urllib3 into the vendored library.

[jayvdb]

Thanks @tsnoam .

The reason I am interested is I would like to create a package for openSUSE, and they will of course object to the vendoring of an old library containing quite critical CVE's, even if they are unlikely to affect typical users/usages of that package.

Existing third party packages are at https://repology.org/project/python:python-telegram-bot/versions
NixOS have de-vendored urllib3

https://github.com/NixOS/nixpkgs/blob/release-19.09/pkgs/development/python-modules/python-telegram-bot/default.nix#L23

Currently the build system requires using the ptb fork'd urllib3, and complains bitterly if it is missing.

Would you consider making the vendoring optional? Then your official tarballs and wheels would include it, but the code would detect the vendored urllib3 is missing and fallback to the real urllib3.

This would allow third parties to more easily redist ptb, and also would give you extra labs running your test suite constantly on their buildbots, however maybe not so useful for diagnosing this specific bug as their buildbots are usually disconnected from the internet and they disable tests which try to use it. But they also have extra support mechanisms, which may help with diagnosing the problem.

[tsnoam]

@jayvdb
Being included as part of a Linux distribution is always an honour.
Following your request we have decided to allow the vendored_urllib3 to be optional during setup.py.
#1583 was opened to track that feature.

[Bibo-Joshi]

Closed by #1725