From 79c4a017fe341fb989d3a7876cf4e44b87601b58 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Fri, 25 Feb 2022 11:25:20 -0700
Subject: [PATCH] Fix environment CA Bundle resolution

---
 requests/sessions.py   | 19 +++++++++++++------
 tests/test_requests.py | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/requests/sessions.py b/requests/sessions.py
index 3f59cab922..d72ae4674a 100644
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -702,11 +702,14 @@ def merge_environment_settings(self, url, proxies, stream, verify, cert):
             for (k, v) in env_proxies.items():
                 proxies.setdefault(k, v)
 
-            # Look for requests environment configuration and be compatible
-            # with cURL.
+            # Look for requests environment configuration
+            # and be compatible with cURL.
             if verify is True or verify is None:
-                verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
-                          os.environ.get('CURL_CA_BUNDLE'))
+                verify = (
+                    os.environ.get('REQUESTS_CA_BUNDLE')
+                    or os.environ.get('CURL_CA_BUNDLE')
+                    or verify
+                )
 
         # Merge all the kwargs.
         proxies = merge_setting(proxies, self.proxies)
@@ -714,8 +717,12 @@ def merge_environment_settings(self, url, proxies, stream, verify, cert):
         verify = merge_setting(verify, self.verify)
         cert = merge_setting(cert, self.cert)
 
-        return {'verify': verify, 'proxies': proxies, 'stream': stream,
-                'cert': cert}
+        return {
+            'proxies': proxies,
+            'stream': stream,
+            'verify': verify,
+            'cert': cert
+        }
 
     def get_adapter(self, url):
         """
diff --git a/tests/test_requests.py b/tests/test_requests.py
index 074c372a82..19e483d3f1 100644
--- a/tests/test_requests.py
+++ b/tests/test_requests.py
@@ -898,6 +898,42 @@ def test_invalid_ssl_certificate_files(self, httpbin_secure):
             requests.get(httpbin_secure(), cert=('.', INVALID_PATH))
         assert str(e.value) == 'Could not find the TLS key file, invalid path: {}'.format(INVALID_PATH)
 
+    @pytest.mark.parametrize(
+        'env, expected', (
+            ({}, True),
+            ({'REQUESTS_CA_BUNDLE': '/some/path'}, '/some/path'),
+            ({'REQUESTS_CA_BUNDLE': ''}, True),
+            ({'CURL_CA_BUNDLE': '/some/path'}, '/some/path'),
+            ({'CURL_CA_BUNDLE': ''}, True),
+            ({'REQUESTS_CA_BUNDLE': '', 'CURL_CA_BUNDLE': ''}, True),
+            (
+                {
+                    'REQUESTS_CA_BUNDLE': '/some/path',
+                    'CURL_CA_BUNDLE': '/curl/path',
+                },
+                '/some/path',
+            ),
+            (
+                {
+                    'REQUESTS_CA_BUNDLE': '',
+                    'CURL_CA_BUNDLE': '/curl/path',
+                },
+                '/curl/path',
+            ),
+        )
+    )
+    def test_env_cert_bundles(self, httpbin, mocker, env, expected):
+        s = requests.Session()
+        mocker.patch('os.environ', env)
+        settings = s.merge_environment_settings(
+            url=httpbin('get'),
+            proxies={},
+            stream=False,
+            verify=True,
+            cert=None
+        )
+        assert settings['verify'] == expected
+
     def test_http_with_certificate(self, httpbin):
         r = requests.get(httpbin(), cert='.')
         assert r.status_code == 200