| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
(GH-100986) (GH-115606)
Update _get_hostport to always remove square brackets
from IPv6 addresses. Then add them if needed
in "CONNECT .." and "Host: ".
(cherry picked from commit 465db27cb983084e718a1fd9519b2726c96935cb)
Co-authored-by: Derek Higgins <derekh@redhat.com>
|
| |
|
|
|
|
|
| |
reading all data (GH-113200) (GH-113260)
(cherry picked from commit 41336a72b90634d5ac74a57b6826e4dd6fe78eac)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-93324) (#112273)
gh-73561: Omit interface scope from IPv6 when used as Host header (GH-93324)
Omit the `@interface_scope` from an IPv6 address when used as Host header by `http.client`.
---------
(cherry picked from commit ce1096f974d3158a92e050f9226700775b8db398)
[Google LLC]
Co-authored-by: Michael <35783820+mib1185@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
(gh-104971)
gh-104924: Fix `read()able` in `http.client` log messages (gh-104926)
(cherry picked from commit 6c81d7572edbe3a5800b1128e55a2dcef03cc13c)
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consist only of digits (GH-103205) (#104438)
gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (GH-103205)
Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.
---------
(cherry picked from commit cf720acfcbd8c9c25a706a4b6df136465a803992)
Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SimpleHTTPRequestHandler (GH-104067) (#104123)
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
---------
(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
GH-103472: close response in HTTPConnection._tunnel (GH-103473)
Avoid a potential `ResourceWarning` in `http.client.HTTPConnection`
by closing the proxy / tunnel's CONNECT response explicitly.
---------
(cherry picked from commit 9de0cf20fa0485e327e57cc0864c7476da85cfad)
Co-authored-by: Thomas Grainger <tagrain@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
| |
output (GH-103113) (#103119)
(cherry picked from commit d052a383f1a0c599c176a12c73a761ca00436d8b)
Co-authored-by: Bernhard Wagner <github.comNotification20120125@xmlizer.net>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Éric <merwok@netwok.org>
|
| |
|
|
|
| |
(GH-100505)
Co-authored-by: James Frost <git@frost.cx>
|
| |
|
|
|
|
|
|
| |
(GH-99616) (GH-100377)
(cherry picked from commit 44892d45b038f919b0378590a776580a9d73b291)
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
|
|
|
| |
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was. Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
(cherry picked from commit 7e29398407dbd53b714702abb89aa2fd7baca48a)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
| |
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
| |
MozillaCookieJar works for curl's cookies
(cherry picked from commit 0ea8b925d096629852d1045c2c53ff6ad63199cc)
Co-authored-by: Boris Verkhovskiy <boris.verk@gmail.com>
|
| |
|
|
|
|
|
|
| |
Reindent files which were not properly formatted (PEP 8: 4 spaces).
Remove also some trailing spaces.
(cherry picked from commit e87ada48a9e5d9d03f9759138869216df0d7383a)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
{LWP,Mozilla}CookieJar.save() (GH-93463) (GH-93636)
Note: This change is not effective on Microsoft Windows.
Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.
The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.
This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Pascal Wittmann <mail@pascal-wittmann.de>
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
| |
* Add HTTPMethod enum to http
Create a StrEnum for the 9 common HTTP methods.
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
|
| |
|
|
| |
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| | |
|
| |
|
| |
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
| |
Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
|
| |
|
|
|
|
|
|
| |
(GH-30701)
Fix command-line option -d/--directory in http.server main
function that was ignored when combined with --cgi.
Automerge-Triggered-By: GH:merwok
|
| | |
|
| |
|
| |
Automerge-Triggered-By: GH:asvetlov
|
| |
|
|
|
| |
Operating systems without support for TCP_NODELAY will raise an OSError
when trying to set the socket option, but the show can still go on.
|
| |
|
| |
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
301s (GH-25705)
* Set content-length for simple http server 301s
When http.server.SimpleHTTPRequestHandler sends a 301 (Moved
Permanently) due to a missing file, it does not set a Content-Length
of 0. Unfortunately, certain clients can be left waiting for the
connection to be closed in this circumstance, even though no body
will be sent. At time of writing, both curl and Firefox demonstrate
this behavior.
* Test Content-Length on simple http server redirect
When serving a redirect, the SimpleHTTPRequestHandler will now send
`Content-Length: 0`. Several tests for http.server already cover
various behaviors and checks including redirection. This change only
adds one check for the expected Content-Length on the simplest case
for a redirect.
* Add news entry for SimpleHTTPRequestHandler fix
* Clarify the specific kind of 301
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
|
| |
|
|
|
|
|
| |
Continue (GH-25916)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
| |
Add audit events to the `http.client` module
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add:
* `_simple_enum` decorator to transform a normal class into an enum
* `_test_simple_enum` function to compare
* `_old_convert_` to enable checking `_convert_` generated enums
`_simple_enum` takes a normal class and converts it into an enum:
@simple_enum(Enum)
class Color:
RED = 1
GREEN = 2
BLUE = 3
`_old_convert_` works much like` _convert_` does, using the original logic:
# in a test file
import socket, enum
CheckedAddressFamily = enum._old_convert_(
enum.IntEnum, 'AddressFamily', 'socket',
lambda C: C.isupper() and C.startswith('AF_'),
source=_socket,
)
`_test_simple_enum` takes a traditional enum and a simple enum and
compares the two:
# in the REPL or the same module as Color
class CheckedColor(Enum):
RED = 1
GREEN = 2
BLUE = 3
_test_simple_enum(CheckedColor, Color)
_test_simple_enum(CheckedAddressFamily, socket.AddressFamily)
Any important differences will raise a TypeError
|
| |
|
| |
This reverts commit dbac8f40e81eb0a29dc833e6409a1abf47467da6.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add:
_simple_enum decorator to transform a normal class into an enum
_test_simple_enum function to compare
_old_convert_ to enable checking _convert_ generated enums
_simple_enum takes a normal class and converts it into an enum:
@simple_enum(Enum)
class Color:
RED = 1
GREEN = 2
BLUE = 3
_old_convert_ works much like _convert_ does, using the original logic:
# in a test file
import socket, enum
CheckedAddressFamily = enum._old_convert_(
enum.IntEnum, 'AddressFamily', 'socket',
lambda C: C.isupper() and C.startswith('AF_'),
source=_socket,
)
test_simple_enum takes a traditional enum and a simple enum and
compares the two:
# in the REPL or the same module as Color
class CheckedColor(Enum):
RED = 1
GREEN = 2
BLUE = 3
_test_simple_enum(CheckedColor, Color)
_test_simple_enum(CheckedAddressFamily, socket.AddressFamily)
Any important differences will raise a TypeError
|
| | |
|
| |
|
|
|
|
| |
We now buffer the CONNECT request + tunnel HTTP headers into a single
send call. This prevents the OS from generating multiple network
packets for connection setup when not necessary, improving efficiency.
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
Add support for HTTP Only flag in MozillaCookieJar
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
|
| |
|
| |
reject control chars in http method in http.client.putrequest to prevent http header injection
|
| |
|
|
|
| |
I've done the implementation for both non-chunked and chunked reads. I haven't benchmarked chunked reads because I don't currently have a convenient way to generate a high-bandwidth chunked stream, but I don't see any reason that it shouldn't enjoy the same benefits that the non-chunked case does. I've used the benchmark attached to the bpo bug to verify that performance now matches the unsized read case.
Automerge-Triggered-By: @methane
|
| |
|
|
|
|
|
|
|
|
| |
- concurrent.futures
- ctypes
- http.cookies
- multiprocessing
- queue
- tempfile
- unittest.case
- urllib.parse
|
| |
|
|
|
|
|
| |
CGIHTTPRequestHandler of http.server now logs the CGI script exit
code, rather than the CGI script exit status of os.waitpid().
For example, if the script is killed by signal 11, it now logs:
"CGI script exit code -11."
|
| | |
|
| |
|
|
| |
Add host validation for control characters for more CVE-2019-18348 protection.
|
| |
|
| |
Add status codes 103 EARLY_HINTS and 425 TOO_EARLY.
|
| | |
|
| |
|
| |
Fixes error attempting to bind to IPv4 address.
|
| | |
|
