From 67baf9a2602b1b0b77455fc1de291f99a589f069 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 16 May 2022 20:35:58 -0700
Subject: [PATCH] Bump urllib3 from 1.26.8 to 1.26.9 (#1688)

* Bump urllib3 from 1.26.8 to 1.26.9

Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.8 to 1.26.9.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/1.26.9/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.8...1.26.9)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update urllib3==1.26.9

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com>

[skip ci]
---
 lib/urllib3/_version.py                |  2 +-
 lib/urllib3/connection.py              |  6 ++----
 lib/urllib3/poolmanager.py             |  1 +
 lib/urllib3/response.py                |  5 ++++-
 lib/urllib3/util/request.py            |  5 ++++-
 lib/urllib3/util/ssl_match_hostname.py | 10 ++++------
 requirements.txt                       |  2 +-
 7 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/lib/urllib3/_version.py b/lib/urllib3/_version.py
index fa8979d7..d905b697 100644
--- a/lib/urllib3/_version.py
+++ b/lib/urllib3/_version.py
@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.8"
+__version__ = "1.26.9"
diff --git a/lib/urllib3/connection.py b/lib/urllib3/connection.py
index 4d92ac6d..7bf395bd 100644
--- a/lib/urllib3/connection.py
+++ b/lib/urllib3/connection.py
@@ -355,17 +355,15 @@ class HTTPSConnection(HTTPConnection):
 
     def connect(self):
         # Add certificate verification
-        conn = self._new_conn()
+        self.sock = conn = self._new_conn()
         hostname = self.host
         tls_in_tls = False
 
         if self._is_using_tunnel():
             if self.tls_in_tls_required:
-                conn = self._connect_tls_proxy(hostname, conn)
+                self.sock = conn = self._connect_tls_proxy(hostname, conn)
                 tls_in_tls = True
 
-            self.sock = conn
-
             # Calls self._set_hostport(), so self.host is
             # self._tunnel_host below.
             self._tunnel()
diff --git a/lib/urllib3/poolmanager.py b/lib/urllib3/poolmanager.py
index 3a31a285..ca4ec341 100644
--- a/lib/urllib3/poolmanager.py
+++ b/lib/urllib3/poolmanager.py
@@ -34,6 +34,7 @@ SSL_KEYWORDS = (
     "ca_cert_dir",
     "ssl_context",
     "key_password",
+    "server_hostname",
 )
 
 # All known keyword arguments that could be provided to the pool manager, its
diff --git a/lib/urllib3/response.py b/lib/urllib3/response.py
index 38693f4f..fdb50ddb 100644
--- a/lib/urllib3/response.py
+++ b/lib/urllib3/response.py
@@ -8,7 +8,10 @@ from socket import error as SocketError
 from socket import timeout as SocketTimeout
 
 try:
-    import brotli
+    try:
+        import brotlicffi as brotli
+    except ImportError:
+        import brotli
 except ImportError:
     brotli = None
 
diff --git a/lib/urllib3/util/request.py b/lib/urllib3/util/request.py
index 25103383..b574b081 100644
--- a/lib/urllib3/util/request.py
+++ b/lib/urllib3/util/request.py
@@ -14,7 +14,10 @@ SKIPPABLE_HEADERS = frozenset(["accept-encoding", "host", "user-agent"])
 
 ACCEPT_ENCODING = "gzip,deflate"
 try:
-    import brotli as _unused_module_brotli  # noqa: F401
+    try:
+        import brotlicffi as _unused_module_brotli  # noqa: F401
+    except ImportError:
+        import brotli as _unused_module_brotli  # noqa: F401
 except ImportError:
     pass
 else:
diff --git a/lib/urllib3/util/ssl_match_hostname.py b/lib/urllib3/util/ssl_match_hostname.py
index a4b4a569..1dd950c4 100644
--- a/lib/urllib3/util/ssl_match_hostname.py
+++ b/lib/urllib3/util/ssl_match_hostname.py
@@ -112,11 +112,9 @@ def match_hostname(cert, hostname):
     try:
         # Divergence from upstream: ipaddress can't handle byte str
         host_ip = ipaddress.ip_address(_to_unicode(hostname))
-    except ValueError:
-        # Not an IP address (common case)
-        host_ip = None
-    except UnicodeError:
-        # Divergence from upstream: Have to deal with ipaddress not taking
+    except (UnicodeError, ValueError):
+        # ValueError: Not an IP address (common case)
+        # UnicodeError: Divergence from upstream: Have to deal with ipaddress not taking
         # byte strings.  addresses should be all ascii, so we consider it not
         # an ipaddress in this case
         host_ip = None
@@ -124,7 +122,7 @@ def match_hostname(cert, hostname):
         # Divergence from upstream: Make ipaddress library optional
         if ipaddress is None:
             host_ip = None
-        else:
+        else:  # Defensive
             raise
     dnsnames = []
     san = cert.get("subjectAltName", ())
diff --git a/requirements.txt b/requirements.txt
index 58fe21b6..99f8033e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -45,7 +45,7 @@ tempora==5.0.1
 tokenize-rt==4.2.1
 tzdata==2022.1
 tzlocal==4.2
-urllib3==1.26.8
+urllib3==1.26.9
 webencodings==0.5.1
 websocket-client==1.2.3
 xmltodict==0.12.0