From 6defe320551d745b4feebda79bc9b6e5a17f5350 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 18 Mar 2019 19:07:39 -0400
Subject: [PATCH] Send only the path and not the full URI to httplib.request

Sending the full uri was causing httplib to send requests as:

POST http://ipa.example.com/ca/admin/ca/getStatus HTTP/1.1

From what I can tell tomcat changed its URL handling due to a CVE
(BZ 1552375). This has been wrong in freeipa since the CA status
checking was added, d6fbbd5 , but tomcat handled it fine so we
didn't notice.

https://pagure.io/freeipa/issue/7883

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipapython/dogtag.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index dd3f3aef8..dc40e80d8 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -227,7 +227,7 @@ def _httplib_request(
 
     try:
         conn = connection_factory(host, port, **connection_options)
-        conn.request(method, uri, body=request_body, headers=headers)
+        conn.request(method, path, body=request_body, headers=headers)
         res = conn.getresponse()
 
         http_status = res.status