summaryrefslogtreecommitdiffstats
path: root/Lib/http
Commit message (Collapse)AuthorAgeFilesLines
* Document that MozillaCookieJar works for curl's cookie files (#91852)Boris Verkhovskiy2022-10-031-1/+1
| | | MozillaCookieJar works for curl's cookies
* gh-95149: Enhance `http.HTTPStatus` with properties that indicate the HTTP ↵Alexandru Mărășteanu2022-08-301-0/+20
| | | | status category (GH-95453)
* Run Tools/scripts/reindent.py (#94225)Victor Stinner2022-06-261-1/+1
| | | | | Reindent files which were not properly formatted (PEP 8: 4 spaces). Remove also some trailing spaces.
* gh-94172: urllib.request avoids deprecated check_hostname (#94193)Victor Stinner2022-06-241-15/+17
| | | | | | | | | | | The urllib.request no longer uses the deprecated check_hostname parameter of the http.client module. Add private http.client._create_https_context() helper to http.client, used by urllib.request. Remove the now redundant check on check_hostname and verify_mode in http.client: the SSLContext.check_hostname setter already implements the check.
* gh-91219: Add an index_pages default list and parameter to ↵Myron Walker2022-06-231-2/+5
| | | | | | | | SimpleHTTPRequestHandler (GH-31985) * Add an index_pages default list to SimpleHTTPRequestHandler and an optional constructor parameter that allows the default indexes pages list to be overridden. This makes it easy to set a new index page name without having to override send_head.
* gh-87389: Fix an open redirection vulnerability in http.server. (#93879)Gregory P. Smith2022-06-211-0/+7
| | | | | | | | Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google].
* gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() ↵Pascal Wittmann2022-06-071-2/+2
| | | | | | | | | | | | | | | | | | | (GH-93463) Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
* gh-91996: Add an HTTPMethod StrEnum to http (GH-91997)cibofo2022-05-051-2/+31
| | | | | | | * Add HTTPMethod enum to http Create a StrEnum for the 9 common HTTP methods. Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
* bpo-46285: Add command-line option -p/--protocol to module http.server (#30999)Géry Ogam2022-05-021-7/+12
| | | | Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* bpo-42066: CookieJar cookies should not be sorted (GH-22745)Iman Kermani2022-04-211-7/+2
|
* bpo-46075: Store localhost cookies in CookieJar (#30108)Nick2022-04-191-2/+3
| | | Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* closes bpo-46736: SimpleHTTPRequestHandler now uses HTML5. (GH-31533)Dong-hee Na2022-02-231-12/+10
| | | Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
* bpo-46436: Fix command-line option -d/--directory in module http.server ↵Géry Ogam2022-02-031-13/+14
| | | | | | | | (GH-30701) Fix command-line option -d/--directory in http.server main function that was ignored when combined with --cgi. Automerge-Triggered-By: GH:merwok
* bpo-46565: `del` loop vars that are leaking into module namespaces (GH-30993)Nikita Sobolev2022-02-031-2/+1
|
* bpo-28953: Use `raise from` when raising new IncompleteRead (GH-29861)1809092021-12-071-2/+2
| | | Automerge-Triggered-By: GH:asvetlov
* bpo-45328: Avoid failure in OSs without TCP_NODELAY support (GH-28646)rtobar2021-10-061-1/+7
| | | | | Operating systems without support for TCP_NODELAY will raise an OSError when trying to set the socket option, but the show can still go on.
* Fix typos in multiple files (GH-26689)Binbin2021-06-131-1/+1
| | | Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
* bpo-43972: Set content-length to 0 for http.server.SimpleHTTPRequestHandler ↵Stephen Rosen2021-05-061-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | 301s (GH-25705) * Set content-length for simple http server 301s When http.server.SimpleHTTPRequestHandler sends a 301 (Moved Permanently) due to a missing file, it does not set a Content-Length of 0. Unfortunately, certain clients can be left waiting for the connection to be closed in this circumstance, even though no body will be sent. At time of writing, both curl and Firefox demonstrate this behavior. * Test Content-Length on simple http server redirect When serving a redirect, the SimpleHTTPRequestHandler will now send `Content-Length: 0`. Several tests for http.server already cover various behaviors and checks including redirection. This change only adds one check for the expected Content-Length on the simplest case for a redirect. * Add news entry for SimpleHTTPRequestHandler fix * Clarify the specific kind of 301 Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
* bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 ↵Gen Xu2021-05-051-17/+21
| | | | | | | Continue (GH-25916) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org>
* bpo-37363: Add audit events to the `http.client` module (GH-21321)Saiyang Gou2021-04-231-0/+4
| | | | | Add audit events to the `http.client` module Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
* bpo-38659: [Enum] add _simple_enum decorator (GH-25497)Ethan Furman2021-04-211-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add: * `_simple_enum` decorator to transform a normal class into an enum * `_test_simple_enum` function to compare * `_old_convert_` to enable checking `_convert_` generated enums `_simple_enum` takes a normal class and converts it into an enum: @simple_enum(Enum) class Color: RED = 1 GREEN = 2 BLUE = 3 `_old_convert_` works much like` _convert_` does, using the original logic: # in a test file import socket, enum CheckedAddressFamily = enum._old_convert_( enum.IntEnum, 'AddressFamily', 'socket', lambda C: C.isupper() and C.startswith('AF_'), source=_socket, ) `_test_simple_enum` takes a traditional enum and a simple enum and compares the two: # in the REPL or the same module as Color class CheckedColor(Enum): RED = 1 GREEN = 2 BLUE = 3 _test_simple_enum(CheckedColor, Color) _test_simple_enum(CheckedAddressFamily, socket.AddressFamily) Any important differences will raise a TypeError
* Revert "bpo-38659: [Enum] add _simple_enum decorator (GH-25285)" (GH-25476)Ethan Furman2021-04-201-4/+2
| | | This reverts commit dbac8f40e81eb0a29dc833e6409a1abf47467da6.
* bpo-38659: [Enum] add _simple_enum decorator (GH-25285)Ethan Furman2021-04-201-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add: _simple_enum decorator to transform a normal class into an enum _test_simple_enum function to compare _old_convert_ to enable checking _convert_ generated enums _simple_enum takes a normal class and converts it into an enum: @simple_enum(Enum) class Color: RED = 1 GREEN = 2 BLUE = 3 _old_convert_ works much like _convert_ does, using the original logic: # in a test file import socket, enum CheckedAddressFamily = enum._old_convert_( enum.IntEnum, 'AddressFamily', 'socket', lambda C: C.isupper() and C.startswith('AF_'), source=_socket, ) test_simple_enum takes a traditional enum and a simple enum and compares the two: # in the REPL or the same module as Color class CheckedColor(Enum): RED = 1 GREEN = 2 BLUE = 3 _test_simple_enum(CheckedColor, Color) _test_simple_enum(CheckedAddressFamily, socket.AddressFamily) Any important differences will raise a TypeError
* Update client.py (GH-24827)Géry Ogam2021-03-131-3/+0
|
* bpo-43332: Buffer proxy connection setup packets before sending. (GH-24780)Gregory P. Smith2021-03-081-10/+11
| | | | | | We now buffer the CONNECT request + tunnel HTTP headers into a single send call. This prevents the OS from generating multiple network packets for connection setup when not necessary, improving efficiency.
* Fix typo in docstring (GH-23515)Fernando Toledo2020-12-211-1/+1
|
* GH-5054: CGIHTTPRequestHandler.run_cgi() HTTP_ACCEPT improperly parsed (#23638)Senthil Kumaran2020-12-051-6/+1
|
* Remove the conditional for setting query. (#23604)Senthil Kumaran2020-12-031-2/+1
|
* bpo-42413: socket.timeout is now an alias of TimeoutError (GH-23413)Christian Heimes2020-11-201-1/+1
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40968: Send http/1.1 ALPN extension (#20959)Christian Heimes2020-11-131-0/+3
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-38976: Add support for HTTP Only flag in MozillaCookieJar (#17471)Jacob Neil Taylor2020-10-231-14/+26
| | | | | Add support for HTTP Only flag in MozillaCookieJar Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
* bpo-39603: Prevent header injection in http methods (GH-18485)AMIR2020-07-181-0/+15
| | | reject control chars in http method in http.client.putrequest to prevent http header injection
* bpo-41002: Optimize HTTPResponse.read with a given amount (GH-20943)Bruce Merry2020-06-251-10/+25
| | | | | I've done the implementation for both non-chunked and chunked reads. I haven't benchmarked chunked reads because I don't currently have a convenient way to generate a high-bandwidth chunked stream, but I don't see any reason that it shouldn't enjoy the same benefits that the non-chunked case does. I've used the benchmark attached to the bpo bug to verify that performance now matches the unsized read case. Automerge-Triggered-By: @methane
* bpo-39481: PEP 585 for a variety of modules (GH-19423)Batuhan Taşkaya2020-04-101-0/+3
| | | | | | | | | | - concurrent.futures - ctypes - http.cookies - multiprocessing - queue - tempfile - unittest.case - urllib.parse
* bpo-40094: CGIHTTPRequestHandler logs exit code (GH-19285)Victor Stinner2020-04-021-2/+3
| | | | | | | CGIHTTPRequestHandler of http.server now logs the CGI script exit code, rather than the CGI script exit status of os.waitpid(). For example, if the script is killed by signal 11, it now logs: "CGI script exit code -11."
* bpo-39507: Add HTTP status 418 "I'm a Teapot" (GH-18291)Ross2020-03-151-0/+3
|
* bpo-38576: Disallow control characters in hostnames in http.client (GH-18995)Ashwin Ramaswami2020-03-141-0/+10
| | | | Add host validation for control characters for more CVE-2019-18348 protection.
* bpo-39509: Update HTTP status code to follow IANA (GH-18294)Dong-hee Na2020-03-141-0/+4
| | | Add status codes 103 EARLY_HINTS and 425 TOO_EARLY.
* bpo-35292: Avoid calling mimetypes.init when http.server is imported (GH-17822)An Long2020-01-081-13/+10
|
* bpo-38907: Suppress any exception when attempting to set V6ONLY. (GH-17864)Jason R. Coombs2020-01-061-1/+5
| | | Fixes error attempting to bind to IPv4 address.
* bpo-38907: In http.server script, restore binding to IPv4 on Windows. (GH-17851)Jason R. Coombs2020-01-061-1/+13
|
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157)bcaller2019-11-221-6/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
* bpo-38863: Improve is_cgi() in http.server (GH-17312)Siwon Kang2019-11-221-2/+4
| | | | | | | | | | | | | | | | | | | is_cgi() function of http.server library does not currently handle a cgi script if one of the cgi_directories is located at the sub-directory of given path. Since is_cgi() in CGIHTTPRequestHandler class separates given path into (dir, rest) based on the first seen '/', multi-level directories like /sub/dir/cgi-bin/hello.py is divided into head=/sub, rest=dir/cgi-bin/hello.py then check whether '/sub' exists in cgi_directories = [..., '/sub/dir/cgi-bin']. This patch makes the is_cgi() keep expanding dir part to the next '/' then checking if that expanded path exists in the cgi_directories. Signed-off-by: Siwon Kang <kkangshawn@gmail.com> https://bugs.python.org/issue38863
* bpo-38216, bpo-36274: Allow subclasses to separately override validation and ↵Jason R. Coombs2019-09-281-9/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | encoding behavior (GH-16448) * bpo-38216: Allow bypassing input validation * bpo-36274: Also allow the URL encoding to be overridden. * bpo-38216, bpo-36274: Add tests demonstrating a hook for overriding validation, test demonstrating override encoding, and a test to capture expectation of the interface for the URL. * Call with skip_host to avoid tripping on the host checking in the URL. * Remove obsolete comment. * Make _prepare_path_encoding its own attr. This makes overriding just that simpler. Also, don't use the := operator to make backporting easier. * Add a news entry. * _prepare_path_encoding -> _encode_prepared_path() * Once again separate the path validation and request encoding, drastically simplifying the behavior. Drop the guarantee that all processing happens in _prepare_path.
* bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies ↵Xtreak2019-09-131-2/+1
| | | | | | | | | | | | | | (GH-13921) Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called. Co-authored-by: Demian Brecht <demianbrecht@gmail.com> https://bugs.python.org/issue12144 Automerge-Triggered-By: @asvetlov
* bpo-35640: Allow passing PathLike arguments to SimpleHTTPRequestHandler ↵Géry Ogam2019-09-111-1/+1
| | | | (GH-11398)
* bpo-26589: Add http status code 451 (GH-15413)Raymond Hettinger2019-08-231-0/+5
|
* Correct description of HTTP status code 308. (GH-15078)Florian Wendelborn2019-08-031-1/+1
| | | Permanent redirect was explained as a temporary redirect.
* bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)Christian Heimes2019-07-011-0/+7
| | | | | | Post-handshake authentication is required for conditional client cert authentication with TLS 1.3. https://bugs.python.org/issue37440
* bpo-36793: Remove unneeded __str__ definitions. (GH-13081)Serhiy Storchaka2019-05-061-2/+1
| | | | Classes that define __str__ the same as __repr__ can just inherit it from object.