| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
SimpleHTTPRequestHandler page (GH-134135) (GH-134191)
The query and fragment are ambiguous and not used.
(cherry picked from commit 5cbc8c632e860941602e8f7da9aab52fae40aca6)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
| |
SimpleHTTPRequestHandler (GH-134099) (GH-134124)
(cherry picked from commit 2f1ecb3bc474a5895dce090cca7b8afe7b560040)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
version (GH-130632) (GH-132303)
* Always quote strings with non-ASCII characters.
* Allow some non-separator and non-control characters (like "." or "-")
be unquoted.
* Always quote strings that end with "\n".
* Use the fullmatch() method for clarity and optimization.
(cherry picked from commit 7ebbd271444d89218870169624921b795a717470)
|
| |
|
|
|
|
|
|
| |
(GH-132137) (#132150)
Docs: Replace dead hyperlink for CGI environment variables (GH-132137)
(cherry picked from commit 0a10b45dd16a8c971363d917b9ebd1266e65f710)
Co-authored-by: Srinivas Reddy Thatiparthy (తాటిపర్తి శ్రీనివాస్ రెడ్డి) <thatiparthysreenivas@gmail.com>
|
| |
|
|
|
|
|
|
| |
(#129414)
gh-129408: http: Fix typo 'RFF' to RFC' in documentation (GH-129411)
(cherry picked from commit 7dd0a7e52ee832559b89d5ccba732c8e91260df8)
Co-authored-by: Samuel GIFFARD <samuel@giffard.co>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
`HTTPResponse.read()` (GH-128270) (#129395)
gh-112064: Fix incorrect handling of negative read sizes in `HTTPResponse.read()` (GH-128270)
The parameter `amt` of `HTTPResponse.read()`, which could be a negative integer,
has not been handled before and led to waiting for the connection to close
for `keep-alive connections`. Now, this has been fixed, and passing negative values
to `HTTPResponse().read()` works the same as passing `None` value.
(cherry picked from commit 4d0d24f6e3dff2864007c3cfd1cf7d49c6ee5317)
Co-authored-by: Yury Manushkin <manushkin@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
format (GH-123405) (#127828)
gh-123401: Fix http.cookies module to support obsolete RFC 850 date format (GH-123405)
(cherry picked from commit 359389ed51aecc107681e600b71852c0a97304e1)
Co-authored-by: Nano <nanoapezlk@gmail.com>
Co-authored-by: Wulian <1055917385@qq.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
with backslashes (GH-123075) (#123103)
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
This fixes CVE-2024-7592.
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
| |
point" (GH-121907) (GH-122012)
(cherry picked from commit 1a0c7b9ba48a2dffb70bb0c7327abae1d3e87356)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rfc9110 obsoletes the earlier rfc 7231. This document also includes some
status codes that were previously only used for WebDAV and assigns more
generic names to these status codes.
ref: https://www.rfc-editor.org/rfc/rfc9110.html#name-changes-from-rfc-7231
- http.HTTPStatus.CONTENT_TOO_LARGE (413, previously
REQUEST_ENTITY_TOO_LARGE)
- http.HTTPStatus.URI_TOO_LONG (414, previously REQUEST_URI_TOO_LONG)
- http.HTTPStatus.RANGE_NOT_SATISFYABLE (416, previously
REQUEST_RANGE_NOT_SATISFYABLE)
- http.HTTPStatus.UNPROCESSABLE_CONTENT (422, previously
UNPROCESSABLE_ENTITY)
The new constants are added to http.HTTPStatus and the old constant names are
preserved for backwards compatibility.
References in documentation to the obsoleted rfc 7231 are updated
|
| |
|
|
|
|
| |
Update _get_hostport to always remove square brackets
from IPv6 addresses. Then add them if needed
in "CONNECT .." and "Host: ".
|
| |
|
|
| |
reading all data (GH-113200)
|
| |
|
|
|
|
|
| |
Omit the `@interface_scope` from an IPv6 address when used as Host header by `http.client`.
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google LLC]
|
| |
|
|
|
| |
Deprecate `http.server.CGIHTTPRequestHandler`.
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
|
| |
`HTTPConnection.get_proxy_response_headers` (#105628)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
(#104248)
Add http.client.HTTPConnection method get_proxy_response_headers() - this is a followup to https://github.com/python/cpython/pull/26152 which added it as a non-public attribute. This way we don't pre-compute a headers dictionary that most users will never access. The new method is properly public and documented and triggers full proxy header parsing into a dict only when actually called.
---------
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
| |
only of digits (#103205)
Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.
---------
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
| |
Add _proxy_response_headers attribute to HTTPConnection (#26152)
---------
Co-authored-by: Senthil Kumaran <senthil@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
(#104067)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
|
|
|
|
|
| |
Avoid a potential `ResourceWarning` in `http.client.HTTPConnection`
by closing the proxy / tunnel's CONNECT response explicitly.
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
| |
Using `datetime.datetime.utcnow()` and `datetime.datetime.utcfromtimestamp()` will now raise a `DeprecationWarning`.
We also have removed our internal uses of these functions and documented the change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-22708: Upgrade HTTP CONNECT to protocol HTTP/1.1 (GH-NNNN)
Use protocol HTTP/1.1 when sending HTTP CONNECT tunnelling requests;
generate Host: headers if one is not already provided (required by
HTTP/1.1), convert IDN domains to punycode in HTTP CONNECT requests.
* Refactor tests to pass under -bb (fix ByteWarnings); missed some lines >80.
* Use consistent 'tunnelling' spelling in Lib/http/client.py
* Lib/test/test_httplib: Remove remnant of obsoleted test.
* Use dict.copy() not copy.copy()
* fix version changed
* Update Lib/http/client.py
Co-authored-by: bgehman <bgehman@users.noreply.github.com>
* Switch to for/else: syntax, as suggested
* Don't use for: else:
* Sure, fine, w/e
* Oops
* 1nm to the left
---------
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: bgehman <bgehman@users.noreply.github.com>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
|
| |
|
|
|
|
|
| |
(#103113)
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Éric <merwok@netwok.org>
|
| |
|
| |
Remove previously added parameter to `__init__`, and recommend subclassing to modify the `index_pages` attribute instead.
|
| |
|
|
|
| |
`IPV4_RE` includes a `.`, and the `.find(".") == -1` included here is already testing to make sure there's no dot, so this part of the expression is tautological. Instead use more modern `in` syntax to make it clear what the check is doing here. The simplified implementation more clearly matches the wording in RFC 2965.
Co-authored-by: hauntsaninja <hauntsaninja@gmail.com>
|
| |
|
|
|
|
|
| |
If you had a directory called index.html or index.htm within a directory, it would cause http.server to return a 404 Not Found error instead of the directory listing. This came about due to not checking that the index was a regular file.
I have also added a test case for this situation.
Automerge-Triggered-By: GH:merwok
|
| |
|
| |
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
| |
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was. Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
|
| |
|
| |
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove the keyfile, certfile and check_hostname parameters,
deprecated since Python 3.6, in modules: ftplib, http.client,
imaplib, poplib and smtplib. Use the context parameter (ssl_context
in imaplib) instead.
Parameters following the removed parameters become keyword-only
parameters.
ftplib: Remove the FTP_TLS.ssl_version class attribute: use the
context parameter instead.
|
| |
|
| |
MozillaCookieJar works for curl's cookies
|
| |
|
|
| |
status category (GH-95453)
|
| |
|
|
|
| |
Reindent files which were not properly formatted (PEP 8: 4 spaces).
Remove also some trailing spaces.
|
| |
|
|
|
|
|
|
|
|
|
| |
The urllib.request no longer uses the deprecated check_hostname
parameter of the http.client module.
Add private http.client._create_https_context() helper to http.client,
used by urllib.request.
Remove the now redundant check on check_hostname and verify_mode in
http.client: the SSLContext.check_hostname setter already implements
the check.
|
| |
|
|
|
|
|
|
| |
SimpleHTTPRequestHandler (GH-31985)
* Add an index_pages default list to SimpleHTTPRequestHandler and an
optional constructor parameter that allows the default indexes pages
list to be overridden. This makes it easy to set a new index page name
without having to override send_head.
|
| |
|
|
|
|
|
|
| |
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-93463)
Note: This change is not effective on Microsoft Windows.
Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.
The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.
This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
|
| |
|
|
|
|
|
| |
* Add HTTPMethod enum to http
Create a StrEnum for the 9 common HTTP methods.
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
|
| |
|
|
| |
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| | |
|
| |
|
| |
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
| |
Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
|
| |
|
|
|
|
|
|
| |
(GH-30701)
Fix command-line option -d/--directory in http.server main
function that was ignored when combined with --cgi.
Automerge-Triggered-By: GH:merwok
|
| | |
|
| |
|
| |
Automerge-Triggered-By: GH:asvetlov
|
| |
|
|
|
| |
Operating systems without support for TCP_NODELAY will raise an OSError
when trying to set the socket option, but the show can still go on.
|
| |
|
| |
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
|
