cpython.git/Lib/test/test_httpservers.py, branch v3.12.0b2 https://github.com/python/cpython.git gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (#103205) 2023-05-12T20:25:58Z Ben Kallus 49924171+kenballus@users.noreply.github.com 2023-05-12T20:25:58Z cf720acfcbd8c9c25a706a4b6df136465a803992 Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long. --------- Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Gregory P. Smith <greg@krypto.org> 
Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.

---------

Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
 gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (#104067) 2023-05-03T03:42:00Z Ethan Furman ethan@stoneleaf.us 2023-05-03T03:42:00Z c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> 
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

---------

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
 gh-100474: Fix handling of dirs named index.html in http.server (GH-100475) 2022-12-24T18:28:59Z James Frost git@frost.cx 2022-12-24T18:28:59Z 46e6a28308def2c3a71c679a6fa4ed7d520802b9 If you had a directory called index.html or index.htm within a directory, it would cause http.server to return a 404 Not Found error instead of the directory listing. This came about due to not checking that the index was a regular file. I have also added a test case for this situation. Automerge-Triggered-By: GH:merwok 
If you had a directory called index.html or index.htm within a directory, it would cause http.server to return a 404 Not Found error instead of the directory listing. This came about due to not checking that the index was a regular file.

I have also added a test case for this situation.

Automerge-Triggered-By: GH:merwok
 gh-100001: Also escape \s in http.server log messages. (#100038) 2022-12-05T22:27:55Z Gregory P. Smith greg@krypto.org 2022-12-05T22:27:55Z 7e29398407dbd53b714702abb89aa2fd7baca48a Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. 
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was.  Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
 gh-100001: Omit control characters in http.server stderr logs. (#100002) 2022-12-05T20:55:45Z Gregory P. Smith greg@krypto.org 2022-12-05T20:55:45Z d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828 Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. 
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
 gh-87389: Fix an open redirection vulnerability in http.server. (#93879) 2022-06-21T20:16:57Z Gregory P. Smith greg@krypto.org 2022-06-21T20:16:57Z 4abab6b603dd38bec1168e9a37c40a48ec89508e Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. 
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
 bpo-47061: deprecate cgi and cgitb (GH-32410) 2022-04-09T00:15:35Z Brett Cannon brett@python.org 2022-04-09T00:15:35Z cd29bd13ef1fe18970c5d43b66c545dd03117cb9 Part of PEP 594. 
Part of PEP 594.
 bpo-40280: Skip socket, fork, subprocess tests on Emscripten (GH-31986) 2022-03-22T10:04:36Z Christian Heimes christian@python.org 2022-03-22T10:04:36Z deeaac49e267285158264643799624623f4a7b29 - Add requires_fork and requires_subprocess to more tests - Skip extension import tests if dlopen is not available - Don't assume that _testcapi is a shared extension - Skip a lot of socket tests that don't work on Emscripten - Skip mmap tests, mmap emulation is incomplete - venv does not work yet - Cannot get libc from executable The "entire" test suite is now passing on Emscripten with EMSDK from git head (91 suites are skipped). 
- Add requires_fork and requires_subprocess to more tests
- Skip extension import tests if dlopen is not available
- Don't assume that _testcapi is a shared extension
- Skip a lot of socket tests that don't work on Emscripten
- Skip mmap tests, mmap emulation is incomplete
- venv does not work yet
- Cannot get libc from executable

The "entire" test suite is now passing on Emscripten with EMSDK from git head (91 suites are skipped).
 bpo-45229: Remove test_main in many tests (GH-28405) 2021-09-19T12:27:33Z Serhiy Storchaka storchaka@gmail.com 2021-09-19T12:27:33Z 40348acc180580371d25f75f46b27048e35f2435 Instead of explicitly enumerate test classes for run_unittest() use the unittest ability to discover tests. This also makes these tests discoverable and runnable with unittest. load_tests() can be used for dynamic generating tests and adding doctests. setUpModule(), tearDownModule() and addModuleCleanup() can be used for running code before and after all module tests. 
Instead of explicitly enumerate test classes for run_unittest()
use the unittest ability to discover tests. This also makes these
tests discoverable and runnable with unittest.

load_tests() can be used for dynamic generating tests and adding
doctests. setUpModule(), tearDownModule() and addModuleCleanup()
can be used for running code before and after all module tests.
 bpo-44647: Fix test_httpservers failing on Unicode characters in os.environ on Windows (GH-27161) 2021-07-15T19:14:24Z Ɓukasz Langa lukasz@langa.pl 2021-07-15T19:14:24Z 82b218f36ce6ef910bda5af227a9fd5be613c94f GH-23638 introduced a new test for Accept: headers in CGI HTTP servers. This test serializes all of os.environ on the server side. For non-UTF8 locales this can fail for some Unicode characters found in environment variables. This change fixes the HTTP_ACCEPT test. 
GH-23638 introduced a new test for Accept: headers in CGI HTTP servers. This test serializes all of os.environ on the server side. For non-UTF8 locales this can fail for some Unicode characters found in environment variables. This change fixes the HTTP_ACCEPT test.